A Chinese hacking crew which had previously been focusing on industrial and commercial attacks has now involved itself in efforts to suppress protests in Hong Kong.
Researchers at security shop ESET say the Winnti Group, a hacking operation believed to be backed by the Chinese government, has begun targeting the networks and accounts of at least five universities in Hong Kong. Active malware infections were found at two of the schools in November of last year and ESET believes three others have since been targeted by the hackers.
The aim of these intrusions, ESET believes, is to gather intelligence and disrupt protests by students at those universities, as Hong Kong continues to deal with civil unrest between pro-democracy protesters and the mainland government.
According to the ESET team, the Winnti hackers have been using their namesake malware trojan – first documented back in 2013 – to get into the university PCs and drop a backdoor called ShadowPad. From there, it is believed the hackers comb the infected machines for information relating to the ongoing protests.
China fires up 'Great Cannon' denial-of-service blaster, points it toward Hong KongREAD MORE
"ShadowPad is a multi-modular backdoor and, by default, every keystroke is recorded using the Keylogger module," explained Mathieu Tartare, the lead researcher for the ESET team studying the attack.
"The use of this module by default indicates that the attackers are interested in stealing information from the victims' machines. In contrast, the variants we described in our earlier whitepaper didn't even have that module embedded."
The protester attacks are a departure from what the Winnti hackers usually focus on. Previously, the Chinese crew had devoted itself to financial and intellectual property heists, targeting online gaming companies and supply chain operators in the pharmaceutical, aviation, telecoms, and software markets.
The group has gained some notoriety for its use of custom-built, sophisticated malware. The Winnti crew was among the first to make use of stolen certificates to evade security software. ®