Stock exchange hacker guilty of 'reckless' attacks
A businessman was found guilty on Wednesday of unleashing “highly reckless” cyberattacks on a stock exchange website last year.
Tse Man-lai, 28, had pleaded not guilty to two counts of obtaining access to a computer with criminal or dishonest intent in District Court. He was convicted of both counts after a trial.
Tse launched “denial-of-service”, or DoS, attacks on HKExnews, a website providing regulatory filings and disclosure announcements by listed companies, on August 12 and 13 last year.
In handing down his verdict, Judge Kim Longley said Tse’s attacks had been serious, “highly reckless” and targeted a website that was important to Hong Kong.
DoS attacks are designed to interrupt or suspend a site’s services to its users. When they originate from more than one source, they are called DDoS attacks.
The court earlier heard that the attacks had originated from internet protocol addresses assigned to a computer used only by Tse at his Tin Shui Wai home.
Prosecutors said Tse launched the attacks to promote his own company, Pacswitch Globe Telecom. He wanted to use screen images and a video from the hacking to demonstrate the web site's vulnerability and help suggest the company could provide services to prevent DDoS attacks.
Prosecutor Olivia Tsang Oi-kei had told the court: “The prosecution’s case is that the defendant was the person who used the computer to launch the two attacks on HKExnews, and subsequently to post or create the messages on the blog and the Yahoo webpage, all done with a view to dishonest gain for himself by promoting the business of his company, namely Pacswitch.”
Tse's first attack lasted 6 1/2 minutes and second attack 70 seconds, and consumed 48 and 54 per cent of the network resources, respectively.
Tse’s attacks came after the website suffered a DDoS attack from more than 300 foreign sources on August 10. That assault caused the bourse to shut down the website and suspend trading in seven firms, including HSBC, which had a combined value of HK$1.5 trillion.
There was no evidence that Tse was involved in the August 10 incident.
At trial, Tse claimed he had recorded the still and video images to use as illustration for tutorial articles he was writing to teach others about how DDoS attacks occur.
But the judge did not believe him, saying he found it implausible that Tse had wanted the images simply to educate the public.
Defence lawyer Bernard Chung said Tse’s case was probably “the first of its kind” under the charge. Normally the charge is used against suspects accused of taking photos under women’s skirts or taking information from someone.
Chung noted in Tse's defence that during the Severe Acute Respiratory Syndrome outbreak in 2003, Tse had worked with the Auxiliary Medical Service at Amoy Gardens, where there were many cases of the disease.
Tse was remanded in custody following the verdict. The judge has ordered a background report on him pending his sentencing hearing on November 9.