Cyber Incident Victim: Hong Kong Universities
Date:
Nov 2019
Location:
Hong Kong
Summary
A Chinese state-backed hacking group known as Winnti compromised computer systems at Hong Kong universities using targeted ShadowPad malware variants designed to steal sensitive information. The attackers employed customized command-and-control infrastructure matching the victims' identifiers and deployed malware modules with keylogging and screen-capture capabilities to harvest data from infected devices. Security researchers identified at least two confirmed breaches and suspected three additional academic institutions were compromised in the campaign, which leveraged simplified malware launchers to evade detection during prolonged network intrusions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Computer systems at two Hong Kong universities were compromised by the Winnti Group, a collective of Chinese state-backed hacking groups, during the Hong Kong protests that began in March 2019. The attacks were discovered in November 2019 when ESET researchers detected ShadowPad launcher malware samples on multiple devices using their Augur machine-learning engine. This followed earlier Winnti malware infections identified two weeks prior in October 2019. The campaign was highly targeted, with command-and-control URLs and campaign identifiers matching the subdomains of the affected universities' names, confirming deliberate focus on these institutions. Attackers deployed a variant of the ShadowPad backdoor featuring 17 modules, including keylogging and screen-capture capabilities enabled by default to steal information from compromised systems. This differed from previous ShadowPad variants analyzed by ESET, which lacked these active surveillance components. The malware's launcher used simplified obfuscation techniques, replacing VMProtec with XOR encryption rather than the typical RC5 algorithm. ESET's analysis indicated the attackers' primary objective was data exfiltration from university networks.
The Winnti Group, also tracked as APT41, BARIUM, and other aliases by cybersecurity firms, has operated since at least 2011 using shared malicious tools. Their infrastructure patterns suggested three additional Hong Kong universities may have been compromised in the same campaign, though this remained unconfirmed. The group historically conducted supply-chain attacks, including Operation ShadowHammer against ASUS LiveUpdate and compromises of NetSarang and CCleaner in 2017. In 2019, they introduced the PortReuse backdoor to target an Asian mobile hardware manufacturer. The Hong Kong university intrusions occurred against a backdrop of broader regional cyberespionage, with ESET linking the malware's characteristics to known Winnti Group tradecraft. No specific data theft was confirmed in published reports, but the malware's design prioritized credential harvesting and persistent access. The incident demonstrated continued evolution of state-aligned threat actors targeting academic institutions during periods of political tension.