China “Xi’s” Red: Cyber Warfare Used on Hong Kong Protestors

By David Fratini on October 18, 2019

Image of Hong Kong protestors

Executive Overview:        

The Communist Party of China (CCP) is reportedly resorting to cyber warfare methods in an attempt to suppress the democratic movement in Hong Kong. In June and September, large-scale DDoS attacks were levied at apps used by protestors to organize rallies and coordinate around government attempts at suppression.


After 6 months of escalating intensity, Hong Kong riots have become the international center of attention. The situation began when a controversial extradition bill was introduced in Hong Kong, which would have infringed on the autonomy of the region. Anxiety towards increasingly authoritarian Chinese government infringing on Hong Kong citizens’ rights sparked immediate outcry from the populace. China, however, refused to give ground and the public outcry spread across the region eventually evolving into full-fledged protest for democratic reforms and shutting down infrastructure. In the past week, U.S. organizations such as Apple, Google, the NBA, and Blizzard has received massive backlash from the American public for kowtowing to the Chinese Communist Party (CCP) at the expense of Honk Kong citizens. 

As the global spotlight grows increasingly brighter on Hong Kong, the CCP is resorting to more aggressive methods in an attempt to crush the uprising. 


Both the June and September attacks have been large scale DDoS attacks aimed at two forum and messaging platforms used by protestors to organize; Telegram, LIHKG, and FireChat. 

In the September case LIHKG was targeted and requests of the applications domain reached 1.5 billion hits per hour, with roughly 6.5 million unique visitors. A DDoS of this scale requires an extensive botnet. While not all of the traffic that caused the crash originated in China, the strong motive for the attack and the number of bots originating in the PRC strongly indicate a CCP coordinated attack.

In the June case Telegram was hit with ~300Gb/s of junk traffic, such as repeated TCP requests, and shut down for several hours – this coincided with a surge in protestor activity.

Tweet reading: IP addresses coming mostly from China. Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @Telegram). This case was not an exception

Looking Forward:

China already operates an incredibly dystopian surveillance system that utilizes facial recognition AI to track and “score” citizens. In the northwestern semi-autonomous region of Xinjiang, millions of Uyghur Muslims are undergoing forced “reeducation” in concentration camps. Meanwhile, disturbing reports of organ-harvesting of prisoners throughout the country have come to light. China is growing more powerful by the day and at the same time becoming more authoritarian. Aside from its surveillance systems, great firewall, and cyber attacks on its own citizens, the CCP has also used its economic strength to force foreign companies doing business in China to submit to their censorship demands. 

With the recent rise in anti-CCP sentiment in the west, citizens are beginning to lambast the organizations who profit off of China’s authoritarianism. It is probable that in the coming months China’s economic pressure on American organizations will prove less effective. Organizations that accept Chinese censorship are seeing their wallets take the hit in Western markets boycott their goods. This will drive the CCP to use more aggressive methods like denial of service attacks, increased censorship, and possibly attacks on organizations that refuse to accept Chinese policy. 

Finally, and worth considering, is how quickly the CCP was able to mobilize a botnet attack. The attacks were in response to surges in protests – which means that there was an extremely accelerated time-table for planning, coordinating, and executing these attacks. There have been reports in the past of Chinese tech manufacturers including malicious firmware in their computer production cycles, how many of the 1.5 billion Chinese consumers operate a system that is plugged into a botnet freely available for the CCP’s use?