Cyber Incident Victim: People Power

In October 2014, Washington-based cybersecurity firm Volexity identified malicious activity compromising four Hong Kong pro-democracy websites: the Alliance for True Democracy (ATD), Democratic Party Hong Kong (DPHK), People Power, and Professional Commons. The attackers injected malicious JavaScript code into ATD and DPHK websites, sourcing content from the domain java-se.com—a known malicious domain associated with advanced persistent threat (APT) activity. At the time of Volexity’s investigation, this domain resolved to a server in Japan. The java-se.com domain had previously been linked to an APT attack against Japan’s nikkei.com in September 2014, where attackers modified a subdomain to load malicious JavaScript. ATD’s website additionally contained a password-protected backdoor webshell, a tool Volexity described as commonly deployed to maintain persistent access after initial compromises.

The People Power website hosted malicious iframes that loaded exploit pages via shortened URLs from the Chinese URL-shortening service 985.so. Three of these four shortened links directed visitors to a single IP address hosting exploit kits. These kits performed system profiling to detect software vulnerabilities, then delivered Java exploits designed to install 32-bit or 64-bit malware. Professional Commons’ website contained a suspicious iframe redirecting to a non-existent page on a South Korean hotel website, though this attempt failed due to the missing page. Volexity’s analysis confirmed the compromises but did not identify specific malware payloads or quantify victim infections. The firm documented these findings in a public blog post on October 9, 2014, though the article provided no details regarding remediation efforts by the affected organizations.