Protests in Hong Kong have been ongoing for over half a year now as the populace makes its feelings known about potential laws regarding extradition agreements between the city and mainland China. Beyond the political impacts of these events, the case demonstrates the use of cyberattacks as a means for a government to handle foreign policy.
Throughout the course of the protests, websites only tangentially associated with the protest have been targeted by Distributed Denial of Service (DDoS) attacks intended to disrupt these protests. The use of DDoS attacks against services not directly associated with the protests demonstrates the importance of deploying DDoS protection for all organizations since anyone could potentially be a target of such an attack.
The Great Cannon Used Against Hong Kong Protesters
The Hong Kong protests have been the target of multiple DDoS attacks over the last year. In August 2019, the LIHKG social media platform was targeted by a DDoS attack using the Great Cannon DDoS tool.
The Great Cannon tool takes an unusual approach to building a botnet for performing DDoS attacks. Most DDoS botnets, like Mirai, take advantage of cheap cloud computing or the plethora of insecure Internet of Things (IoT) devices running with weak, default passwords to build up the computing power needed for the attacks.
However, this attack against LIHKG was not the first time that the Chinese government used a DDoS attack to attempt to disrupt protests in Hong Kong. In June of that year, Telegram experienced a DDoS attack that is also attributed to the Chinese government.
Telegram is an encrypted messaging app that enables users to set up channels that can broadcast messages to an unlimited number of recipients. This combination of security and reachability made it an ideal choice for organizers of Hong Kong-based protests to coordinate with participants. However, the use of Telegram as a tool for organizing these protests made it a target of a DDoS attack on June 12, 2019. The service received a truly huge amount of malicious requests, rendering it incapable of properly responding to legitimate requests from its users.
An internal investigation by the Telegram team determined that the vast majority of the requests originated from IP addresses allocated to China. This, in combination with the fact that the attack coincided with the Hong Kong protests, resulted in the Telegram team attributing the attack to the Chinese government.
While discussing the attack, the CEO of Telegram stated that this is not the first time that the company has experienced “state-level” DDoS attacks, and that these attacks typically coincide with protests occurring in Hong Kong. This pattern indicates that the use of DDoS as a means of implementing foreign policy is likely to continue, and that Telegram, and similar sites, must deploy protections against these threats.
Implications of the Hong Kong DDoS Attacks
While these DDoS attacks do not have the cyber-physical impacts of the attacks that cut off power in the Ukraine, they represent the clear use of cyberattacks as a tool for foreign policy. The timing and attribution of these attacks has caused them to be (correctly or not) attributed to the Chinese government’s attempts to interfere in the governance of Hong Kong.
Beyond the political impacts of these attacks, they also demonstrate that every organization is a potential target of a cyberattack. For example, Telegram offers end-to-end encryption of messages sent on its platform. Theoretically, this means that the organization does not have the capability to read the messages being sent on its platform.
As a result, the company may have been targeted by a DDoS attack without any knowledge of the reason behind it. While, in this case, Telegram was aware of the circumstances, this may not always be the case. As DDoS attacks become increasingly affordable and cybercriminals continue to offer DDoS as a service, any organization could be targeted by a DDoS attack without warning.
Protecting Against DDoS Attacks
Unlike other common types of cyberattacks, DDoS attacks do not require an organization to make a mistake to be vulnerable. A DDoS attack does not take advantage of an employee clicking on a malicious link in a phishing email or an unpatched vulnerability in an Internet-facing web application.
Instead, DDoS attacks degrade or destroy access to a service by overwhelming it with more malicious requests than it is capable of processing. As demonstrated by the attacks against LIHKG and Telegram, these attacks can be extremely effective, even against large organizations with significant network infrastructure.
Defending against these types of attacks requires organizations to deploy strong DDoS prevention solutions. These tools filter out malicious requests while allowing legitimate ones to pass through, enabling an organization’s web presence to remain online even in the face of state-level DDoS attacks.