DDoS Against Hong Kong’s Pro-Democracy Movement Linked to Chinese APT Actors

Written by

As the pro-democracy movement in Hong Kong has continued to mount a series of protests, attackers believed to be China-backed have launched a series of distributed denial of service attacks (DDoS) against websites promoting the movement there.

Specifically, websites belonging to Next Media’s Apple Daily publication have suffered from an ongoing DDoS attack that brought down its email system. Next Media is a large media company in Hong Kong.

“The use of DDoS attacks as a political tool during times of conflict is not new; patriotic hacktivist groups frequently use them as a means to stifle political activity of which they disapprove,” said FireEye researchers Ned Moran, Mike Oppenheim and Mike Scott, in an analysis. “The question of state sponsorship (or at least tacit approval) in online crackdowns is often up for debate and ambiguous from a technical evidence and tradecraft perspective.”

In this case, an overlap in the tools and infrastructure used by China-based advanced persistent threat (APT) actors and the DDoS attack activity indicates potential relationships, symbiosis and tool-sharing between patriotic hacker activities designed to disrupt anti-government activists in China, and the APT activity that is more IP theft and espionage-focused.

“We believe that these DDoS attacks are linked to previously observed APT activity, including Operation Poisoned Hurricane,” the researchers noted.

FireEye has identified a number of binaries coded to receive instructions from a set of command and control (C2) servers instructing participating bots to attack Next Media-owned websites and the HKGolden forum—both of which have been used as a platform to organize pro-democracy protests. Each sample is signed with digital certificates that have also been used by APT actors to sign binaries in previous intrusion operations.

“The most direct connection between these DDoS attacks and previous APT activity is the use of the QTI International and CallTogether code signing certificates, which we have seen in malware attributed to APT activity,” said the researchers.

“While not conclusive, the evidence presented…shows a link between confirmed APT activity and ongoing DDoS attacks that appear to be designed to silence the pro-democracy movement in Hong Kong,” they added. “The evidence does not conclusively prove that the same actors responsible for the DDoS attacks are also behind the observed intrusion activity discussed above — such as Operation Poisoned Hurricane. Rather, the evidence may indicate that a common quartermaster supports both the DDoS attacks and ongoing intrusion activity.”

And that quartermaster is likely China itself. The hkgolden[.]com, nextmedia[.]com, and appledaily.com[.]hk websites are now or previously have been blocked by the Great Firewall of China — indicating that the Chinese government has found the content hosted on these sites objectionable.

“Operation Poisoned Hurricane’s objective appeared to have in part been IP theft possibly for economic gain or other competitive advantages,” the writers said. “In the DDOS attacks, the objective was to silence free speech and suppress the pro-democracy movement in Hong Kong. The Chinese government is the entity most likely to be interested in achieving both of these objectives.”

What’s hot on Infosecurity Magazine?