• Thu
  • Dec 18, 2014
  • Updated: 2:01pm
Occupy Central
NewsHong Kong

Cyberattacks against Occupy Central poll traced to mainland firms’ computers in Hong Kong

IT expert traces IP addresses, and blames the enterprises for up to 40pc of security breaches

PUBLISHED : Monday, 23 June, 2014, 5:30pm
UPDATED : Tuesday, 24 June, 2014, 2:47pm

Up to 40 per cent of cyberattacks on the website used to run Occupy Central's unofficial plebiscite on electoral reform came from computers registered to mainland firms in Hong Kong, said an IT expert who advised the poll's organisers.

But it was possible the firms were unaware their computers were involved, as they may have been controlled by hackers, said Young Wo-sang, convenor of the Internet Society of Hong Kong's security and privacy working group.

Dr Chan Kin-man, a key organiser of the civil disobedience movement - which has vowed to blockade Central if the government fails to offer a satisfactory reform proposal - said the findings had fuelled Hongkongers' worries that Beijing was the ultimate hacker of the system.

The 10-day so-called referendum, allowing Hongkongers to pick their preferred reform proposal from a shortlist of three, faced over 10 billion distributed denial-of-service attacks shortly after it launched for pre-registration on June 13, knocking the system offline for periods.

Young said many attacks appeared to have come from computers in Hong Kong registered to mainland firms. "After tracing the IP addresses, we have found that 30 to 40 per cent of them were registered by mainland enterprises," he said.

Cyberattack on Occupy Central poll is 'most sophisticated onslaught ever seen'

Young has been advising the University of Hong Kong's public opinion programme - commissioned by Occupy to handle the poll - on security. He said the poll team had passed its information to police and urged them to locate the real culprit.

Last night police said they were still investigating.

More than 720,000 votes have been cast, including 48,000 at 15 polling stations on Sunday.

In Beijing, a mainland official joined the debate, saying the voting system was unprofessional based on his first-hand attempts to cast a vote.

Zhang Hong, a researcher with the Cyber Security Research Institute under the Ministry of Industry and Information Technology, said he voted twice on Sunday despite not being a Hong Kong permanent resident. He said he logged on to the online voting system using a false Hong Kong address and two Hong Kong cellphone numbers with the help of a friend in the city, and two Hong Kong ID numbers generated online.

"The credibility of the voting system is doubtful due to the technical loopholes," he said.

Zhang said he had tried to vote online eight times and succeeded twice.

"The system makes it impossible to verify whether all the votes are from qualified voters."

He tested the system "out of curiosity", and concluded the poll result was contaminated.

"[The voting] is merely self-serving. It is interesting for those who have no technical background but left us professionals speechless," he said.

Zhang also questioned people who said the cyberattacks were from mainland companies.

"It is not difficult to remove one's footprint from the internet. The attacker could easily hide their identity and then launch the attack," he said. "It is far-fetched to accuse the mainland authorities."

In response, Chan said Occupy had tried to prevent any dishonest voting. "I am particularly concerned that even mainland officials have failed to realise that using others' identities is in fact an offence under the city's laws," Chan said.

He urged people to vote at polling stations if they feared their identities were being used dishonestly online.



Related topics

For unlimited access to:

SCMP.com SCMP Tablet Edition SCMP Mobile Edition 10-year news archive



This article is now closed to comments

Whoever you are, you lack guts. Not only do you lack the guts to give us a name but you are also very out of touch with ordinary people. This was a referendum run by Hong Kong people for Hong Kong people. The vast majority of those running it and those voting were Chinese. Not Communist Party Chinese but Chinese nonetheless. You are either a Communist Party member, or a Communist Party sympathizer and consequently you are not a Chinese patriot. How could anyone be considered a Chinese patriot - someone who loves their country and their people - if they are only wiling to listen to and help such a small number of people. There are over 900 million other Chinese you know? Actually, you probably don't know or care. You are simply in it to see what you can get. Ask not what you can do for your country but what you can get from supporting your party!
Dai Muff
The choice to abstain from all three proposals was there. Without knowing who the selection committee is, your proposed question is an absurdity.
Ant Lee
the chinese government always want others give them face but they always make themselves look the fool. why are they so fearful and desperate if the referendum is unofficial and illegitimate? those 50 cents are just pathetic.
Dai Muff
Xenophobia is so 1950s.
One of the saddest things about you united fronters is that ALL your propaganda so far is about thirty years out of date. Our parents and grandparents ran TO Hong Kong, not away from Hong Kong. I leave it to you to remember what they ran away from.
You talk sense but in my opinion, there is no point in discussing whether or not candidates should only be nominated by the Nominating Committee. The Basic Law clearly states that this is what should be done. What people hate to see is the limited choices we have in each CE election. Each person having one vote is meaningless if the choices are pre-determined by Beijing. Looking at the past 3 CE elections - One can actually despair at the quality of the candidates who do not seem to think they are accountable to the people of HK. The nominating Committee or rather the Selection Committee as you stated, needs to have an acceptable and objective means of selecting candidates for nomination and not simply use vague terms like 'you must love thy country' which can mean practically anyone that is disliked by Beijing. Personally, I believe that Long Hair et al should not be nominated as their behavior is deplorable but if they have many followers then who is to say they cant be nominated. The nominating committee needs a huge revamp.
****** - what does being such a brown-noser to the Chinese government get you?
No one is stating Colonialism, we just don't want a chance of electing a Mayor or a Leader for our city so that if he turns out like BoXiLai, at least the voters are responsible, because right now, there's a lot of BoXiLai's around in a lot of cities in China and there's not even a choice for it's citizens to prevent it.
Or are you one of those BoXiLai people? Then I can understand why you're so into this.
John Adams
It's a great pity ( and also very silly) that the "Occupy Central" organisation did not include an option to vote which simply says :
"I agree / disagree with nomination of suitable candidates by the Selection Committee instead of public a free-for-all public nomination" \
I personally have my own views on the actual public election process, and I would like to vote informally on that issue in this "mock" referendum. But I refuse to vote in this "mock" referendum simply because it does not allow me to state that I am happy with the pre-selection of suitable candidates nominated by the Selection Committee.
(Heaven help us if mad dog, bald albert or long-hair were ever nominated !)
The occupy central group were very stupid to exclude this one crucial question :
YES / NO ?
I bet that a large number of those who voted these past few days would have answered "YES"
Why is the Occupy Central movement so scared to ask that simple basic question ?
WHY ?!
Dai Muff
"But the companies involved may not have been aware that the computers were part of the attack, as the machines may have been compromised and then remotely controlled by hackers, the expert said."
Wanna buy some beach front real estate?
Very disgusted with this OC group. To execute as they called the "monumental DDOS" attacks require hundreds and thousands (or millions to of computers to bring down HKU's system) through a vast network of botnet implantation. DDOS attacks make infinite requests to a website to bottleneck others from visiting. To say ten and hundreds of computers in Chinese companies in Hong Kong had done the job is ludicrous. Either they don't know what they are talking about and blindly blame China, or they are lying through their teeth. But then, many Hong Kongers believe anything that is deemed popular.
Seriously, if the point is to sabotage this voting arrangement, would they not submit 7 to 8 million fake IDs to vote on "Abstain"? This way, it will render the voting absolutely unbelievable and people will not know what to believe. Is this not more effective than a denial of service attack? This is an amazing display of psychological warfare. Every move is an interesting one.
May Peace Prevail on Earth.



SCMP.com Account