Assailed by law enforcement and APT groups, activists turn to dark web and encrypted messaging apps

Pro-democracy activists in Hong Kong have “turned to the digital underground” as authorities wield sweeping new surveillance powers, a new report reveals.

Dissidents in the Chinese Special Administrative Region (SAR) are increasingly “using dark web forums and encrypted messaging apps to circumvent digital surveillance by authorities” empowered by a controversial new national security law, according to research by threat intel firm IntSights.

Passed in June 2020, the legislation grants law enforcement agencies powers to conduct warrantless searches and covert surveillance, seize travel documents, and compel online service providers to cooperate with requests to remove content.

The law was used in January to detain more than 50 pro-democracy activists and politicians, and reportedly block access to an anti-government website on the grounds that it violated separate, anti-doxxing legislation.

In a multi-pronged effort to quell dissent, the Chinese government is also linked to various malware and disinformation campaigns designed to demoralize activists and disrupt their activities.

For instance, when a UK-based dark web user claimed in November 2020 that at least 13 overseas websites had been blocked in Hong Kong, a pro-China counter-post blamed the incident on defective servers, reports IntSights.

Last year, moreover, Twitter removed more than 170,000 accounts that were said to be part of a “manipulative and coordinated” campaign to spread disinformation about pro-democracy protests that have convulsed the SAR for the past two years.

Malware and APTs

APT threat groups believed to be backed by the Chinese government have targeted Hong Kong citizens, universities, and news media deemed a threat to “unity” with malware campaigns since 2014.

One iOS-optimized malware strain that emerged in 2020, LightSpy, allows an attacker to remotely exfiltrate infected devices’ call history, geolocations, and contact lists.


Read more of the latest data privacy news


An Android version, called dmsSpy, was “distributed through Instagram and Telegram with content designed to get victims to download an app dedicated to the Hong Kong Democracy and Freedom Movement”, says the report.

Another, malicious archive campaign, leveraged MGbot malware linked to APT group ‘Evasive Panda’ and embedded a message from UK Prime Minister Boris Johnson inviting Hong Kongers to emigrate to Britain.

Going dark

Growing numbers of beleaguered activists are paying fees to use dark web services in order “to safely communicate with each other, discuss politics, share information, and inquire about newer and more secure apps through various channels available on the dark web”.

Despite exercising such apparent caution, many pro-democracy netizens are nevertheless taking great risks in using generally pro-China, Chinese-language dark web forums to criticize the government and police.

Moreover, the ubiquity of nefarious activities on the darknet – such as the sale of stolen data, credit card skimmers, and recreational drugs – threatens to “lure” politically motivated “users into illicit cybercriminal activity”.

Un-crackable iPhones

Activists are using myriad messaging apps and communication tools to evade surveillance.

These include end-to-end encrypted services Telegram, which claimed it was hit by a DDoS attack originating from China in 2019, and Signal, whose popularity has surged, according to IntSights researchers, in response to controversial changes to WhatsApp’s privacy policy.

Dissidents have also used Apple’s Bluetooth-powered Airdrop feature to communicate with allies and organize rallies – and the latest iPhones appear to be generally the safest bet for dissidents.

Speaking on the condition of anonymity, a Hong Kong police officer is quoted by IntSights researchers as stating that law enforcement were “unable to crack newer Apple iPhone models locally” despite finding “ways to compromise Android” devices and access Google Drive files.


RELATED Tor security: Everything you need to know about the anonymity network


Bluetooth app Bridgefy, meanwhile, is helping activists communicate offline courtesy of its innovative use of mesh networks.

However, Professor Alan Woodward, a computer security expert at Surrey University, has pointed out that that authorities could still intercept communications.

"With any peer-to-peer network, if you have the know-how, you can sit at central points of it and monitor which device is talking to which device and this metadata can tell you who is involved in chats,” he told the BBC in 2019.

Videoconferencing platforms such as Zoom have also become a more useful eavesdropping medium for government agencies since university seminars migrated online due to the Covid-19 pandemic.

IntSights expects there to be no let-up in the Chinese Communist Party’s efforts to “minimize the reach and impact” of dissidents’ messages, and anticipates “a rise in VPN usage and end-to-end encryption applications, such as Signal, Telegram, and ProtonMail, and related services”.

It adds: “While there was no evidence of hacktivist activities by Hong Kongers, we cannot rule out that this is happening on a small scale.”


YOU MIGHT ALSO LIKE Australian research institute confirms ‘likely’ data breach after third-party Accellion hack