Digital footprints from previous cyberthreats believed to have emanated from China have been linked to recent attacks on pro-democracy websites in Hong Kong, according to a new report.
The findings of cybersecurity forensics firm FireEye suggest that there may be a “common quartermaster” behind the two attacks, further supporting a running theory that Chinese officials are breaching Hong Kong’s networks to suppress or spy on the ongoing political uprising there. Protesters in Hong Kong have been demonstrating since September, pushing for greater freedom in choosing their political representation.
FireEye analysts said they made the discovery when they matched digital certificates from a series of quiet data thefts originating in China, which FireEye reported earlier this year, to those of a conspicuous network-blocking attack that disrupted a pro-democracy Hong Kong news site in October.
Because the two types of attacks have very different agendas, the fact that they shared common certificates suggests they may be motivated by Chinese state interests, said FireEye analyst Mike Scott, one of the report’s authors.
“We understand that there has been a long series of campaigns over the past 10 to 15 years coming from China [to steal intellectual property],” said FireEye analyst Ned Moran, who co-authored the report. “We can tie that intrusion activity through technology data points to the [pro-democracy news site attack], which is attempting to suppress speech in Hong Kong. Who would benefit from both of those activities?”
Scott added that the reason his team was able to detect the digital certificates was because whoever created the malware didn’t employ high levels of security, a step attackers often skip because digital certificates function more like receipts than fingerprints, revealing only usage and not attackers’ identities.
Supporters of the pro-democracy movement, known as Occupy Central, have been the target of recent attacks that cybersecurity watchdogs believe are also the work of the Chinese government. On Sept. 17, a group of coders backing transparency in Hong Kong’s government reported that several protesters’ Android operating systems had been infected with spyware. Two weeks later, Lacoon Mobile Security found that a similar spyware was targeting protesters’ iOS systems. The firm said that because cross-platforms attacks are so rare, the perpetrator is likely “a large organization or nation-state.”
FireEye analysts said that they did not discover any direct links between the attacks on protesters’ Android and iOS devices and the attacks on pro-democracy news sites, but said that the attackers may be using several methods to achieve their goal.