China's Winnti hackers (apparently): Forget the money, let's get political and start targeting Hong Kong students for protest info

Supply-chain hackers now taking aim at kids fighting for democracy, say researchers

A Chinese hacking crew which had previously been focusing on industrial and commercial attacks has now involved itself in efforts to suppress protests in Hong Kong.

Researchers at security shop ESET say the Winnti Group, a hacking operation believed to be backed by the Chinese government, has begun targeting the networks and accounts of at least five universities in Hong Kong. Active malware infections were found at two of the schools in November of last year and ESET believes three others have since been targeted by the hackers.

The aim of these intrusions, ESET believes, is to gather intelligence and disrupt protests by students at those universities, as Hong Kong continues to deal with civil unrest between pro-democracy protesters and the mainland government.

According to the ESET team, the Winnti hackers have been using their namesake malware trojan – first documented back in 2013 – to get into the university PCs and drop a backdoor called ShadowPad. From there, it is believed the hackers comb the infected machines for information relating to the ongoing protests.

Death Star cannon

China fires up 'Great Cannon' denial-of-service blaster, points it toward Hong Kong


"ShadowPad is a multi-modular backdoor and, by default, every keystroke is recorded using the Keylogger module," explained Mathieu Tartare, the lead researcher for the ESET team studying the attack.

"The use of this module by default indicates that the attackers are interested in stealing information from the victims' machines. In contrast, the variants we described in our earlier whitepaper didn't even have that module embedded."

The protester attacks are a departure from what the Winnti hackers usually focus on. Previously, the Chinese crew had devoted itself to financial and intellectual property heists, targeting online gaming companies and supply chain operators in the pharmaceutical, aviation, telecoms, and software markets.

The group has gained some notoriety for its use of custom-built, sophisticated malware. The Winnti crew was among the first to make use of stolen certificates to evade security software. ®

Broader topics

Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022