Cyber Incident Victim: Professional Commons

In October 2014, researchers at Volexity identified malicious code on four Hong Kong pro-democracy websites: the Alliance for True Democracy (ATD), the Democratic Party Hong Kong (DPHK), People Power, and Professional Commons. The ATD and DPHK sites were compromised to load a malicious JavaScript file from the domain "java-se.com," which Volexity linked to advanced persistent threat (APT) activity. At the time of discovery, this domain resolved to an IP address in Japan. The same domain had previously been implicated in an attack on Japan’s nikkei.com website in September 2014, where a compromised subdomain delivered malicious JavaScript. Further analysis of ATD’s infrastructure revealed a password-protected backdoor webshell, a tool commonly used by attackers to maintain persistent access even after initial compromises are remediated. Volexity noted this webshell type had been observed in multiple prior website breach investigations.

The People Power website contained malicious iframes that redirected visitors to exploit pages via shortened URLs from the Chinese service 985.so. Three of these links directed to a single IP address hosting Java exploits designed to install malware tailored to the victim’s system architecture (32-bit or 64-bit). These exploits performed system profiling to identify vulnerabilities before deploying payloads. Professional Commons’ website included a suspicious iframe pointing to a defunct page on a South Korean hotel domain, which redirected to the hotel’s main site without delivering visible exploits. Volexity’s investigation did not confirm malware distribution through this vector but noted its anomalous presence. The compromises collectively exposed visitors to potential malware infections, though the article did not specify whether infections were confirmed or detail remediation efforts by the affected organizations.