Pro-democracy Hong Kong sites DDoS'd with Chinese cyber-toolkit

Hacking attacks against organisations promoting democracy in Hong Kong were run using the same infrastructure previously linked to Chinese cyber-espionage attacks, according to new research from security firm FireEye.

Sites promoting the Occupy Central Pro Democracy movement, including Next Media’s Apple Daily publication and the HKGolden forum, have been hit by DDoS attacks.

The assaults against Next Media’s Apple Daily "brought down its email system for hours" as well as affecting its website.

The use of DDoS attacks as a political tool during times of conflict is not new; patriotic hacktivist groups frequently use them as a means to stifle rival political groups. The apparent objective of these DDoS attacks is to silence free speech and suppress the pro-democracy movement in Hong Kong. The Chinese government is therefore an obvious suspect.

In the case of Hong Kong, FireEye discovered "an overlap in the tools and infrastructure used by China-based advanced persistent threat (APT) actors and the DDoS attack activity" against the Hong Kong protest movement.

FireEye reports that DDoS attacks against the Pro-Democracy Movement using the KernelBot network. Samples of malware powering these attacks are signed with digital certificates linked to previously observed APT activity, including Operation Poisoned Hurricane, according to FireEye.

FireEye has identified a number of binaries coded to receive instructions from a set of command and control (C2) servers instructing participating bots to attack Next Media-owned websites and the HKGolden forum. Next Media is a large media company in Hong Kong and the HkGolden forum has been used as a platform to organise pro-democracy protests. Each sample we identified is signed with digital certificates that have also been used by APT actors to sign binaries in previous intrusion operations: These binaries are W32 Cabinet self-extracting files that drop a variant of an older DDoS tool known as KernelBot.

The QTI International and CallTogether code signing certificates, previously seen in malware attributed to APT activity, have cropped up in malicious code used in other attacks targeting the pro-democracy movement in Hong Kong. For example, malicious JavaScript inserted into the Hong Kong Association for Democracy and People's Livelihood website featured the QTI certificate.

More recently, as noted by security researcher Claudio Guarnieri, the website of the Democratic Party of Hong Kong hosted a redirect to the same malicious JavaScript.

All this tool and infrastructure sharing points to links between pro-Beijing hacktivists and state-sponsored groups focused on IP theft and cyber-espionage. It's evidence of collusion but far from definitive, according to FireEye.

"The evidence presented above shows a link between confirmed APT activity and ongoing DDoS attacks that appear to be designed to silence the Pro Democracy movement in Hong Kong," FireEye concludes in a blog post. "The evidence does not conclusively prove that the same actors responsible for the DDoS attacks are also behind the observed intrusion activity discussed above – such as Operation Poisoned Hurricane. Rather, the evidence may indicate that a common quartermaster supports both the DDoS attacks and ongoing intrusion activity."

It almost goes without saying but the hkgolden,com, nextmedia.com, and appledaily.com.hk websites are blocked by the Great Firewall of China – indicating that authorities in Beijing have found the content hosted on these sites objectionable.

Other security researchers have noted that Hong Kong protesters have been infected by iOS and Android spyware. Lacoon Mobile Security spotted the Xsser mRAT spyware being slung around while posing an Occupy Central coordination app.

Pro-democracy protests in Hong Kong began in September and have continued to escalate since. ®