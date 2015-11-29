* Hackers use Dropbox, Google Drive for attacks
HONG KONG/SINGAPORE, Nov 30 Almost a year after
students ended pro-democracy street protests in Hong Kong, they
face an online battle against what Western security experts say
are China-sponsored hackers using techniques rarely seen
elsewhere.
Hackers have expanded their attacks to parking malware on
popular file-sharing services including Dropbox and Google Drive
to trap victims into downloading infected files and
compromising sensitive information. They also use more
sophisticated tactics, honing in on specific targets through
so-called 'white lists' that only infect certain visitors to
compromised websites.
Security experts say such techniques are only used by
sophisticated hackers from China and Russia, usually for
surveillance and information extraction.
The level of hacking is a sign, they say, of how important
China views Hong Kong, where 79 days of protests late last year
brought parts of the territory, a major regional financial hub,
to a standstill. The scale of the protests raised concerns in
Beijing about political unrest on China's periphery.
"We're the most co-ordinated opposition group on Chinese
soil, (and) have a reasonable assumption that Beijing is behind
the hacking," said Lam Cheuk-ting, chief executive of Hong
Kong's Democratic Party, which says it has been a victim of
cyber attacks on its website and some members' email accounts.
U.S.-based Internet security company FireEye said the
attacks via Dropbox were aimed at "precisely those whose
networks Beijing would seek to monitor", and could provide China
with advance warning of protests and information on
pro-democracy leaders. The company said half its customers in
Hong Kong and Taiwan were attacked by government and
professional hackers in the first half of this year - two and a
half times the global average.
China's Ministry of Foreign Affairs, Public Security Bureau
and the Liaison Office of the Central People's Government in the
Hong Kong Special Administrative Region did not respond to
requests for comment. The Defence Ministry said the issue was
not part of its remit. China has previously denied accusations
of hacking, calling them groundless, and saying it is a victim.
The Hong Kong police said its Cyber Security and Technology
Crime Bureau works with other law enforcement agencies to combat
cross-border crime, but did not respond to questions on how much
information it shares with mainland Chinese authorities, the
origin of the Hong Kong cyber attacks, or whether these might be
a source of instability or concern.
Police data show a drop in reported "unauthorised access",
which includes Internet or email account abuse and hacking, over
the past two years. Many of the victims Reuters spoke to said
they hadn't bothered to report being hacked.
SWITCHING TACTICS
Like other groups taking on the might of Beijing - from
Uighurs and exiled Tibetans to some Taiwanese - Hong Kong
activists, academics and journalists have become more savvy and
adopted tactics that, in turn, force hackers to get savvier
still.
When Tibetan exile groups stopped clicking on files attached
to emails, to avoid falling victim to a common form of 'spear
phishing' attack, hackers switched their malware to Google
Drive, hoping victims would think these files were safer, said
Citizen Lab, a Canada-based research organisation which works
with Tibetans and other NGOs.
Hackers also recently used Dropbox to lure Chinese language
journalists in Hong Kong into downloading infected files.
FireEye, which discovered the attack, said it was the first time
it had seen this approach.
"We don't have any arrogance to think we can beat them,"
said Mark Simon, senior executive at the parent company of Hong
Kong's Apple Daily, a media group on the front line of the
attacks.
STRANGE WORDS
Trying to stay ahead of the hackers, activists and others
use multiple mobile phones with different SIM chips, encrypted
messaging apps, apps that automatically delete tweets, and code
words to set up meetings. If someone thinks they may be
arrested, they remove themselves from group chats.
Some things are kept offline.
"If we want to talk, we have some signal," said Derek Lam, a
member of student group Scholarism that helped organise the
protests. "It's a few words ... if I say some words that are
really strange it means we have to talk somewhere privately."
Law professor and protest organizer Benny Tai stores
personal data, such as names, email addresses and mobile
numbers, on an external hard drive that he says he only accesses
on a computer without an Internet connection.
The pro-democracy Apple Daily, which says it is hacked on an
almost weekly basis, has tightened its email security software,
and has its lawyers use couriers rather than email. FireEye last
year connected denial of service (DDoS) attacks against Apple
Daily with more professional cyber spying attacks, saying there
may be a "common quartermaster". It said China's government
would be the entity most interested in these "political
objectives".
SOPHISTICATED HACKS
Steven Adair, co-founder of U.S.-based security firm
Volexity, said that code hidden on pro-democracy websites last
year, including those of the Democratic Party and the Alliance
for True Democracy, suggested a group he said "we strongly
suspect to be Chinese... who is very well resourced."
He said such tactics were more usually seen employed by
Russian hackers, aimed at very specific targets and designed to
be as unobtrusive as possible. "It's a real evolution in
targeting," he said.
In the run-up to Hong Kong district council elections
earlier this month, hackers used more basic techniques, breaking
into at least 20 Gmail accounts at the Democratic Party,
according to party officials and Google logs seen by Reuters.
Between April and June, many hacked accounts were forwarding
emails to lovechina8964@gmail.com. An examination of the
hackers' IP addresses by the party's IT experts found some
appeared to originate in China, party officials said.
