Hong Kong Democratic Party website hack put visitors at risk, says researcher

HONG KONG-  The website of the Hong Kong Democratic Party (DPHK) has had seemingly malicious code running on it for a month, meaning visitors could have been compromised in turn, says a security expert.A pro-democracy protester leans against a street divider covered with yellow ribbons as part of protests which have been supported by the Hong Kong Democratic Party.

The party has been at the heart of the Hong Kong protests, calling for democratic reform, but its site could have been infecting demonstrators, noted Claudio Guarnieri, an independent security researcher who discovered the breach.

Whilst there’s some indication the hackers were targeting visitors, there’s no evidence that the attackers did anything more than breach the site and attempt to load JavaScript code from another website. That “injected” JavaScript is no longer working, so Guarnieri was not able to determine what kind of payload the hackers were trying to deliver. A typical attack would sees injected code attempt to download malware onto a visitor’s computer, which would then collect information from it.

The fact the website had been hacked for a month is concerning enough, said Guarnieri. “Fact is, the website is popped and apparently has been so for a while,” he told the Guardian over email.

“If protesters have been checking in the DPHK website in anticipation to the protests and the website has been used as a strategic attack platform, it’s likely that a number of people revolving around the Occupy Central movement have been exploited and compromised as well.”

DPHK had not responded to a request for comment on the apparent breach by the time of publication.

Protesters have already been targeted via their mobile phones. A piece of Android spyware was spotted late last month, masquerading as an app for the Occupy Central pro-democracy movement, which was spread via WhatsApp messages.

A subsequent piece of malware aimed at iPhones was being managed on the same server as the Android threat, though it was unclear whether that was directed at pro-democracy demonstrators.

“We can only expect this type of geopolitical attack to be on the rise as defenders don’t seem to be on top of their game and the attackers have all the time and resources to go after these sites,” said

TK Keanini, chief technology officer at security firm Lancope. “Until the cost to the attackers are raised, these websites will fall one after another as we have been witnessing over the past five years.”

On the other side, the Anonymous hacktivist collective has pledged to attack digital infrastructure of the current Hong Kong government. It’s threatened to take out websites belonging to the regime.