A Cyberwar Quietly Rages Over Hong Kong

October 24, 2014 Updated: October 25, 2014

While protesters clash with police on the streets of Hong Kong, an unseen battle is being fought on the Internet. A conflict between hackers and the Chinese government is running quietly alongside what takes place on the streets.

In unusually sophisticated attacks that analysts believe are coming from the Chinese regime, hackers are infiltrating the phones, tablets, and computers of pro-democracy activists in Hong Kong. The breaches allow them not only to know what the protesters are planning ahead of time, but will enable them to monitor the activists even after the protests end.

The shadowy world of hackers isn’t just on the side of the Chinese regime. Hackers in security are hard at work shining a light on the Chinese regime’s cyberattacks. Hacker activists, meanwhile, are also hard at work launching attacks on Chinese government websites and calling for support of the democracy activists on social media.

Article Quote: A Cyberwar Quietly Rages Over Hong Kong

Infiltration for Spying

Steven Adair, CEO of security company Volexity, is currently investigating a set of targeted cyberattacks in Hong Kong designed to infect computers of people visiting pro-democracy websites.

His findings so far, along with findings from other researchers, create a disturbing picture.

“It looks like someone is trying to infect and keep tabs on all pro-democracy people in Hong Kong,” Adair said in a phone interview.

Volexity has been tracking an advanced cyberattack for the last few months, which is targeting websites in Hong Kong and Japan. A summary of their findings states, “In both countries, the compromised websites have been particularly notable for their relevance to current events and the high profile nature of the organizations involved.”

“In particular the Hong Kong compromises appear to come on the heels of the Occupy Central Campaign shifting into high gear,” it states.

The attack works through websites that have been infected by hackers, and if a user visits the sites it will install malware on their devices. Among the websites it has appeared on are the English and Chinese-language websites for the Democratic Party Hong Kong.

What makes the attack particularly interesting, however, is advanced code that filters which users it infects.

“What it tells us is it’s less likely they made a mistake, but rather they had more data on who they wanted to exploit,” Adair said, adding “They’re interested in what you’re browsing and what kind of documents you have on your system. Those kinds of things.”

Article Quote: A Cyberwar Quietly Rages Over Hong Kong

Smartphone Attacks

The attack through the democracy websites was not the first aimed at the protesters.

Two different attacks on Hong Kong democracy protesters were uncovered on Sept. 30 by researchers at Lacoon Mobile Security. What they found were advanced attacks on smartphones and tablets tailored to target democracy activists in Hong Kong.

According to Michael Shaulov, CEO of Lacoon Mobile Security, the Chinese regime has plenty of incentive to hack smartphones since “you are able to track communications over the device itself and gain access to real-time information.”

Consider that smartphones also have GPS trackers, microphones, cameras, and are carried by people just about everywhere—including during important meetings—and you have the perfect device to spy on.

“If you’re a government actor, getting your hands on this type of information is really more powerful than getting information on laptops,” Shaulov said. “For the purpose of spying it’s probably the perfect tool.”

People with Android smartphones in Hong Kong started receiving messaging saying “Check out this Android app designed by Code4HK for the coordination of OCCUPY CENTRAL!”

The note sent on mobile messaging tool WhatsApp likely came off as legitimate. Code4HK is a community of programmers who have been developing technology to help in the democracy protests.

If a user clicked on the link, according to Lacoon Mobile Security, it would install an advanced tool called an mRAT that allows a hacker nearly full access to their phones.

The researchers states on their blog, the mRAT “is undoubtedly one of the more advanced we’ve seen. It can extract almost anything it wants from the device, making it an extremely versatile method of surveillance …” It gives the hacker access to email, call logs, and the user’s location, among other things.

The researchers add that they believe the Chinese regime is behind the attacks, and note it is “also a very advanced mRAT that is undoubtedly being backed by a nation state.”

The attack on Android phones wasn’t isolated. The attack was launched side-by-side with a nearly identical mRAT targeting iOS users with iPhones and iPads.

This took the researchers by surprise, Shaulov said, because hackers interested in money will rarely take the trouble to breach an iOS device.

The iOS version of the virus, which researchers at Lacoon Mobile Security called Xsser mRAT, works and was spread similarly to the Android virus, but it only affects jailbroken devices—devices in which the operating system has been modified by the user, removing certain restrictions and allowing manufacturer-prohibited software to be uploaded.

Considering that at least 30 percent of iPhones in China were jailbroken in 2013, according to Tech In Asia, the reach of the virus could still be broad.

Shaulov said they’ve only seen one other attack that went after both Android and iOS devices simultaneously, and noted the iOS attack used a “very sophisticated and very polished piece of malware.”

On Oct. 20, another cyberattack was uncovered, this one targeting Apple iCloud. Researchers at GreatFire.org said Chinese authorities are launching attacks that give them usernames and passwords for iCloud accounts, which would then give them access to data such as photos, videos, and contacts.

According to an analysis of the attack from GreatFire.org, the attack may “be related again to images and videos of the Hong Kong protests being shared on the mainland.”


The logo of hacker collective Anonymous is shown in a promotional image. Anonymous has been launching cyberattacks against the Chinese regime to support democracy protests in Hong Kong. (Anonymous)
The logo of hacker collective Anonymous is shown in a promotional image. Anonymous has been launching cyberattacks against the Chinese regime to support democracy protests in Hong Kong. (Anonymous)

While people in the cybersecurity industry are busy exposing attacks, activist hackers are busy launching attacks they say are meant to support people of Hong Kong protesting for democracy.

On Oct. 18, members of the hacker collective Anonymous launched coordinated attacks against Chinese government websites, after they officially declared cyberwar on the regime in an Oct. 15 video announcement.

According to Strudalz, a prominent member of Anonymous, the attacks “show it’s possible to break their regime down. They are only as strong as the people allow them to be.”

The attacks, which targeted more than 150 websites, were the latest in “Operation Hong Kong,” launched by Anonymous in early October to support democracy protests in Hong Kong.

The largest attacks took place on Oct. 11 when members of Anonymous leaked databases from 51 Chinese-government websites, which contained tens of thousands of usernames and passwords, phone numbers, and other information.

Hackers with Anonymous were also launching distributed denial of service (DDoS) attacks on Chinese government websites, which can overload the sites with artificial traffic and take them offline.

The cyberattacks from Anonymous seem to be more symbolic than anything. Some Chinese netizens have pointed out that few people in China visit the Chinese government websites they’re attacking.

But the attacks have irked the Chinese regime. The International Business Times reported on Oct. 6 that Chinese authorities had arrested five suspected hackers with Anonymous aged between 13 and 39.

The Chinese regime’s Hong Kong Liaison Office told Reuters “This kind of Internet attack violates the law and social morals, and we have already reported it to the police.”

On a deeper level, the protests in Hong Kong are an ideological challenge to the Chinese Communist Party (CCP).

The protests are being led by a belief in democracy and freedom, and the CCP is trying to discredit those principles by labeling the movement as something instigated by foreign governments, with ill intent toward China.

A large part of the CCP’s efforts to quash the protests have likewise taken place through propaganda channels. News agencies in China have been using two propaganda lines: one that the protests are instigated by foreign forces, and another that nobody is really joining the protests anyway.

Meanwhile, the CCP has been hard at work trying to silence independent media in Hong Kong, and its online censors have been working double-time to remove online blog posts and comments that support the protests.

With “Twitterstorms” Anonymous has been countering the CCP’s censorship by spreading articles and information about the protests.

The people of Hong Kong have responded. Protesters often hold up signs thanking Anonymous for its support and regularly Tweet photos of them doing so.

Anonymous views the DDoS attacks and the stealing of the Chinese regime’s databases as the 21st century version of a sit-in. In the virtual landscape of the Internet, it is staging its own “occupation.” Parallel to the real world one in Hong Kong, its occupation also calls attention to the demand for democracy.

Follow Joshua on Twitter: @JoshJPhilipp