Protests, Political Conflicts and Spillover into Cyber Risk

Threats in focus

Over the last several months, protests in Hong Kong over a controversial extradition bill have stretched beyond 100 days, reportedly involving millions of people, many arrests and violent conflicts between law enforcement and protestors. Concurrent with this situation, we have seen a variety of cyber threat activity targeting individuals and organizations who are involved.


Examples include:

•We have seen intrusion attempts against targets such as media organizations and NGOs that may have been driven by Chinese security and political concerns over the protests. Based on observed patterns in China-linked espionage activity, these intrusions could have objectives such as gathering non-public information on protests or identifying activists.

•Indications of DDoS attacks have been observed against assets on both sides of the protests, signifying that advocates of both the government and the protests may be employing this tactic.

•We have been tracking seemingly inauthentic social media activity promoting narratives in line with the interests of the Chinese government. In mid-August, Facebook and Twitter announced that they had shut down accounts associated with a state-backed Chinese campaign designed to undermine the Hong Kong protests.

Hong Kong Protests

In the past, we have frequently observed similar cyber threat activity surrounding political disputes ranging in intensity from election-season controversies to civil wars. While the intensity of threat activity can vary drastically in correlation to the severity of the surrounding circumstances, the types of activity we see and the motivations driving them are more consistent and involve attacks such as network intrusions, DDoS attacks and inauthentic social media activity.

Network Intrusions

Network intrusions through spear phishing, social media lures, supply-chain compromise, and other tactics are used by interested parties to gain an insider understanding of what is happening. Perpetrators may seek to accomplish objectives such as identifying persons involved in the situation, obtaining advance knowledge of involved parties plans, or predicting the likely outcome of their own actions. It is easy to imagine why these incidents can affect directly-involved individuals and entities such as journalists, NGOs, or law enforcement. Companies that have maintained distance from the situation can be affected, if involved threat actors believe they may posses wanted information or offer attackers desired access. For example, we have seen threat actors targeting telecommunications firms to compromise information on their customers.

DDoS Attacks

Politically-motivated, overt attacks to further the perpetrators’ views or disrupt targets—DDoS attacks, leaks of stolen information, destructive attacks—are also a hallmark of these situations. These attacks can also play out against unexpected targets with no self-evident connection to the situation, especially when a conflict attracts non-state hacktivists who may be seeking personal notoriety. In the ongoing Hong Kong protests, the messaging service Telegram has reportedly experienced DDoS attacks; Telegram is not necessarily tied to either side in the protests, but it is plausible that protestors’ use of the app led to an attack on the service.

Inauthentic Social Media Activity

Inauthentic social media activity is frequently employed in attempts to control public discussion and sentiment around these situations. We often see activity in support of multiple different nation-states in which compromised or perpetrator-created accounts perform coordinated activity to promote narratives in line with the operators’ interests.

Organizations that operate in geographic areas where political conflicts are happening, or provide services used by participants, can prepare for incidents they may experience based on these long-standing patterns in politically-motivated threat activity.

Visit FireEye to learn more about how you can prepare your organization for this type of activity.