Riot police patrol in front of a so-called Lennon wall with the LIHKG Pig mascot ouside Tai Koo MTR station in Hong Kong, on Oct. 3, 2019. (Anthony Kwan/Getty Images)

Chinese Regime Deploys Cyber Weapon to Hijack Hong Kong Protest Forum

The Chinese regime has launched an offensive against a popular online forum used by Hong Kong protesters in an effort to undermine the ongoing pro-democracy movement that seeks an autonomous Hong Kong, AT&T Cybersecurity has found.

In a new blogpost on Dec. 4, the firm identified a series of state-linked cyber attacks since Aug. 31 targeting LIHKG—a localized Reddit-like social media forum. The platform has become a hub for Hong Kong activists to organize and coordinate protests since June, when the mass demonstrations first broke out to resist the actions by the communist regime in the territory.

The latest attacks against the forum started on Nov. 25.

From Behind the Great Firewall

Dubbed the ‘Great Cannon,’ distributed denial of service (DDoS) attacks work by intercepting traffic from China-based servers and inserting malicious Javascript to millions of internet users, and then hijacking those users’ connections to bombard a targeted site with traffic causing the victim’s server to crash.

A 2015 report by the Canadian-based Citizen Lab found that the Great Cannon shared the same infrastructure as the Chinese regime’s sophisticated online censorship mechanism, known as the Great Firewall. According to the report, the Great Cannon is “not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic … and can arbitrarily replace unencrypted content as a man-in-the-middle.”

A mural of pixel pig, an icon of LIHKG also known as the Hong Kong version of Reddit, is seen on a Lennon Wall in Hong Kong, on Sept. 27, 2019. (Anthony Kwan/Getty Images)

The malicious code sends repeated requests to the LIHKG home page in an attempt to cripple it. The code also targets several dozen memes and websites that appear on LIHKG, most likely in an attempt to make the number of requests received by LIHKG blend in with “normal traffic.”

The requests also go so far as to direct LIHKG to unnecessarily process remote memes to a new size before they are served to the user—draining the server’s computational resources.

However, according to AT&T Cybersecurity researcher Chris Doman, these hijacking activities are unlikely to succeed, owing to the robust anti-DDoS service LIHKG has in place and some bugs in the malicious code.

Doman said it was “disturbing” to see the renewed use of such cyber weapons that are “again causing collateral damage to U.S.-based services.”

In a post dated Aug. 31, LIHKG reported that it had suffered from “unprecedented DDoS attacks in the past 24 hours,” with more than 1.5 billion total requests and a maximum of over 6.5 million unique visitors per hour, which led to internet congestion and overload.

LIHKG said there were “reasons to believe” that a national power was behind the orchestrated attacks. It expressed appreciation to the internet security provider Cloudflare for mitigating the attacks.

Attacks on Telegram

Earlier on June 12, Telegram’s Pavel Durov had reported a “state-actor-sized” DDoS attack with majority of IP addresses coming from China. June 12 was the day that around two million Hongkongers took to the streets demanding the local city government withdraw a controversial extradition bill that was seen to be eroding Hong Kong’s rule of law free from the control of the Chinese Communist Party.

Like LIHKG, Telegram has also been a chief coordinating tool used by protesters. Durov noted that similar cyber attacks have been seen to coincide with Hong Kong protest activities over the past few months.

Other Cyber Attacks

On Aug. 31, 2017, Great Cannons took aim at a New York-based Chinese language news website Mingjing News. AT&T Cybersecurity said it has continued to observe attacks over the past year, and noted that the Javascript code in the Aug. 31 attack against LIHKG was “very similar” to that used to target Mingjing News.

In March 2015, the Microsoft-owned software sharing platform GitHub experienced the largest DDoS attack in its history, with the intent of forcing the platform to “remove a specific class of content,” according to GitHub. The volume of malicious traffic paralyzed its website for five days.

In the same month, GreatFire, the nonprofit that dedicates itself to monitor and counter the Chinese regime’s internet censorship, also experienced multiple similar attacks. The organization said the requests totaled to as many as 2.6 billion per hour—about 2,500 times higher than normal levels.

The timing of the attacks coincided with increased pressure from the Cyberspace Administration of China—the country’s internet regulator—which called GreatFire an “anti-China website” and pressed its IT partners to cease collaboration.