Accessibility links

China Declares Cyber-war on Hong Kong Protesters

Protesters turn on their mobile phone flashlights as they block an area outside the government headquarters building in Hong Kong Oct. 1, 2014.

Protesters turn on their mobile phone flashlights as they block an area outside the government headquarters building in Hong Kong Oct. 1, 2014.

Days after demonstrators in Hong Kong began filling streets protesting what they call a power grab by Beijing, the Occupy Central battles began moving online.

Shortly thereafter, a mobile digital security firm discovered something no one had yet seen before: a Chinese-authored spyware bug specifically designed and targeted to infect protestor’s iPhones and iPads.

Then a shadowy hacker activist group Anonymous announced what it called “full-scale war” - targeting the government of Hong Kong and others opposing the Occupy Central protests.

“If you continue to abuse, harass or harm protesters, we will continue to deface and take every web-based asset of your government off line,” a message from the group said. “That is not a threat, it is a promise.”

Yet despite such bluster, the cyber-battlefield here is far from equal.

Should wider attacks between Beijing and the Occupy movement break out, it’s very likely that China – with its vast resources and experience – could overwhelm the protestors and win the online war, according to analysts.

China's online aggression

China is home to the world’s most prolific and talented cyber criminals, experts say.

Akamai’s most recent “State of the Internet” report, released just last week, said that 43 percent of all Internet cyber-attacks originated from computers located in China, more than three times the volume of attacks from the next highest offender, Indonesia, at 15 percent.

Earlier this year, the US Justice Department indicted five Chinese army officials with 31 counts of hacking and cyber espionage – charges that Chinese officials have denied.

“It’s no surprise, in a situation like this, to discover that there are those who wish to steal information,” said Costin Raiu, director of global research and analysis at the cyber-security firm Kaspersky Labs told VOA via email.

“It is neither the first nor the last attack of this kind, we previously observed both targeted and cybercriminal attacks against mobile users,” he said. “This is unlikely to stop anytime soon. On the contrary, we are witnessing a steady growth of mobile malware.”

Malware, bugs

On the first day of the Occupy Central street protests, many in Hong Kong began to notice "Trojan Horse" messages targeting their Android mobile phones.

Trojan Horses are malicious programs that pretend to be legitimate software, but actually carry out hidden, harmful functions.

In and of itself, this wasn’t such an uncommon occurrence given Android’s relatively loose and open operating systems.

But a few days later, researchers with the mobile security firm Lacoon discovered something they had never seen before: a sophisticated, cross-platform spyware bug that, if downloaded, infected nearly every part of a users’ iOS – the closed and fairly secure operating system used by Apple iPads and iPhones.

“It was a surprise, definitely,” Michael Shaurov, CEO and co-founder of Lacoon, told VOA. “Everyone was excited and thrilled to finally find this, but basically what we believe is that this is something we’ve expected.”

The bug, officially known as Xsser mRAT, was discovered almost by accident while Lacoon researchers were trying to dissect the more common Android trojan-horse bugs.

After they traced the Android bugs’ command and control, or CnC, protocol, they stumbled on the iOS spyway.

“It’s sitting in the background and basically capturing all the sensitive information – data – that one has on your iPhone,” Shaurov said. “It starts with capturing location, all the contacts, text messages, photos, call logs, and to an extent it also goes to a really sensitive place on the iPhone, the keychain. It completely compromises your device.”

Shaurov calls Xsser “…the most polished malware for iOS that we’ve seen to date,” suggesting both that it was in the works for a while, and is not the product of a small group of criminals or hacktivists.

Computer bugs don’t come with signatures or pedigrees, but they do provide a range of clues as to who’s behind them.

Lacoon found that Xsser’s CnC servers were located inside China, that its program commands are in Chinese, and that it uses a Chinese anonymizing service.

“All that leads to the conclusion which is essentially that the entity that is operating Xsser is probably Chinese state-sponsored,” Shaurov said.

'Operation Hong Kong'

As the number of malware bugs floating around Hong Kong increased, so, too, did threats of cyber retaliation targeting both the government of Hong Kong and the Communist Party of China in Beijing.

So far, the threat that has garnered the most media attention was that from Anonymous.

Calling this latest venture “Operation Hong Kong,” a branch of Anonymous released a video last week, directly threatening the government of Hong Kong with coordinated, international attacks.

“Attacking protesters will result in releasing personal information of all of your government officials,” said a computerized voice-over on the video. “We will seize all your databases and e-mail pools and dump them on the Internet. This is your first and only warning.”

So far, Anonymous has been able to crash the website of the “Democratic Alliance for the Betterment and Progress of Hong Kong”, a large pro-Beijing political party; an act party chairman Tam Yiu-chung decried as “outrageous.”

Other websites have also crashed or been defaced, but so far there have been no major security breaches or large-scale data thefts reported, either in Hong Kong or Beijing.

Analysis is spotty, but the nature of such nuisance hacks suggests there are DDoS, or “distributed denial of service”, attacks. While embarrassing, DDoS hacks are usually short-lived and pose little security risks.

Given China’s “Great Firewall” of filtering and censorship, it’s unlikely Beijing would experience wide-scale security breaches, analysts say.

However, much of Hong Kong – among the most digitally connected societies on Earth – remains on the other side of the Great Firewall, putting servers and data at greater risk.

Lopsided fight

Jason Ng, an entrepreneur and blogger with the South China Morning Post, has been spending a lot of time recently in Hong Kong’s Admiralty district, home to much of the Occupy Central protests and sit-ins.

It was where that police deployed tear gas against demonstrators who had little more than their umbrellas to protect themselves, thus giving rise to the phrase “the Umbrella Uprising.”

“We live on social media – Facebook, Instagram – so everything that happens, the next second it’s going to be online,” Ng said.

Speaking with VOA, Ng told of watching hundreds of protestors, concerned about the government possibly cutting Internet or phone service, immediately gravitate to the new FireChat app.

Traditionally, cross-border cyber-attacks have occurred online, over hard-wired ISPs and targeting computers and laptops connected to the Internet.

But this current battle appears to be happening largely on mobile devices, analysts say.

Hong Kong isn’t just wired to the Internet; it has one of the greatest concentrations of mobile usage anywhere.

At present, those mobile phones and other gadgets are helping protestors get their message out and stay connected with each other.

However, with more spyware flooding the region, those devices could be turned against the movement.

“As soon as there’s a rumor, everyone will be talking about it,” Ng said. “People are telling each other to start saving everything they put online. In terms of awareness it’s there. But if there’s a very systematic cyber-attack on Hong Kong, we’ve never seen anything like that before.”

Others are certain who will win.

“It’s a non-balanced fight,” said Lacoon’s Michael Shaulov of a possible cyber showdown between Beijing and Occupy Central. “The nation-sponsored entity clearly has tools and capabilities that would be very difficult for the other party to fight against.”

  • 16x9 Image

    Doug Bernard

    Doug Bernard covers cyber-issues for VOA, focusing on Internet privacy, security and censorship circumvention. Previously he edited VOA’s “Digital Frontiers” blog, produced the “Daily Download” webcast and hosted “Talk to America”, for which he won the International Presenter of the Year award from the Association for International Broadcasting. He began his career at Michigan Public Radio, and has contributed to "The New York Times," the "Christian Science Monitor," SPIN and NPR, among others. You can follow him @dfrontiers.