Cyber Incident Victim: Democratic Party Hong Kong
Date:
Oct 2014
Location:
Hong Kong
Summary
Several pro-democracy organizations in Hong Kong experienced website compromises involving malicious code injection targeting visitors. The Democratic Party Hong Kong and associated groups had their sites altered to load JavaScript from an advanced persistent threat-linked domain, while one coalition's page contained iframes redirecting to exploit kits delivering malware based on victim system profiling. Another organization's site featured a password-protected backdoor webshell to maintain persistent access, and a fourth displayed a suspicious iframe attempting to redirect to a non-existent South Korean hotel page. The attacks leveraged known malicious infrastructure including a domain previously associated with high-profile breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2014, security researchers at Volexity identified malicious activity targeting four Hong Kong-based pro-democracy organizations: the Alliance for True Democracy (ATD), the Democratic Party Hong Kong (DPHK), People Power, and the Professional Commons. The attackers compromised the groups' websites to deliver malicious code to visitors. ATD and DPHK's sites were observed loading a JavaScript file from the domain "java-se.com," which Volexity associated with advanced persistent threat (APT) activity. This domain was hosted on a server in Japan at the time of discovery and had previously been linked to an attack on Japan's nikkei.com website in September 2014. ATD's infrastructure additionally contained a password-protected webshell, a common tool used by attackers to maintain persistent access to compromised systems even after initial malicious code removal. The webshell's presence indicated an intent to preserve long-term control over the affected web servers.
Volexity's investigation revealed distinct attack mechanisms across the targeted organizations. People Power's website hosted malicious iframes that redirected visitors through the Chinese URL shortening service 985.so to exploit kits hosted on a single IP address. These kits performed system profiling to identify vulnerabilities and delivered architecture-specific malware payloads (32-bit or 64-bit) upon successful exploitation. The Professional Commons' site contained a suspicious iframe pointing to a defunct page on a South Korean hotel website, though this redirect led to the hotel's main page without delivering observable exploits. The campaign's primary impact involved leveraging the compromised websites to distribute malware to visitors, potentially exposing pro-democracy activists and supporters to further surveillance or data theft. Volexity documented these findings in a public blog post on October 9, 2014, confirming the live compromises but did not disclose remediation efforts by the affected organizations.