Cyber Incident Victim: Alliance for True Democracy
Date:
Oct 2014
Location:
Hong Kong
Summary
Pro-democracy websites in Hong Kong, including the Alliance for True Democracy, were compromised with malicious code targeting visitors. Attackers injected JavaScript from a domain associated with advanced persistent threats, hosted in Japan, and deployed password-protected webshells to maintain persistent access. Malicious iframes on affiliated sites redirected through a Chinese URL shortener to exploit pages profiling systems and delivering malware via Java vulnerabilities. Another compromised site contained suspicious iframes pointing to a non-existent South Korean hotel webpage. The campaign leveraged known infrastructure linked to prior high-profile attacks, facilitating system profiling and malware deployment against visitors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2014, security researchers at Volexity identified malicious activity on four Hong Kong pro-democracy websites: the Alliance for True Democracy (ATD), the Democratic Party Hong Kong (DPHK), People Power, and the Professional Commons. The compromise involved the delivery of malicious code to visitors of these sites. ATD and DPHK were observed loading a potentially malicious JavaScript file from the domain "java-se.com," which Volexity associated with advanced persistent threat (APT) activity. At the time of discovery, this domain resolved to an IP address in Japan. Historical analysis revealed that java-se.com had previously been linked to an APT campaign targeting Japan’s nikkei.com in September 2014, where attackers modified a subdomain to load content from the malicious domain. Additionally, ATD’s infrastructure contained a backdoor webshell protected by a password, a tool Volexity described as commonly used by attackers to maintain persistent access to compromised systems even after initial malicious code removal.
The People Power website hosted malicious iframes that redirected visitors to exploit pages via shortened URLs from the Chinese service 985.so. Three of these shortened links directed to a single IP address hosting Java exploits designed to install malware tailored to the victim’s system architecture (32-bit or 64-bit). The Professional Commons site contained a suspicious iframe pointing to a defunct page on a South Korean hotel website, which redirected to the hotel’s main page without delivering observable exploits. Volexity’s investigation confirmed the presence of profiling scripts on the exploit pages, which collected system information to determine vulnerability to specific attacks. No explicit details regarding victim impact, data theft, or remediation efforts by the affected organizations were disclosed in the available reporting. The blog post by Volexity, dated October 9, 2014, served as the primary public disclosure of these compromises at the time.