Using DDoS as a Political Weapon; Hacktivism or Cyber Warfare in Hong Kong?

The city of Hong Kong was rocked by protests in early June, as hundreds of thousands of people demonstrated against legal changes that would make it easier to extradite people to China from the semi-autonomous city. Protesters were voicing their concern that China will use the law to extradite political opponents and others to China, where their legal protections cannot be guaranteed. On June 12, 2019 in the midst of those protests, the Telegram, a popular encrypted messaging service, was hit with a massive distributed denial of service (DDoS) attack (200-400 Gbps) that knocked the service offline for over an hour. The Telegram CEO blamed Chinese government-supported actors for the attack, citing that most of the sources of the junk traffic were IP addresses based in China. On Telegram’s Twitter account you can read the company’s lighthearted definition of a DDoS attack.

The theory is that China is behind the attacks because it has a vested interest in squelching communication among the protesters and, because it couldn’t control or access the encrypted messages the protesters were using to organize the protests, it just crippled the service completely. Will anyone ever know for sure whether the Chinese government, which has a reputation for suppressing political dissent, ordered the DDoS attack against Telegram? Probably not, because it is especially difficult to trace the true source of DDoS attacks. And, there may be a thin line between Chinese government actors and private actors. It can be hard to distinguish between rogue actors and nation-state warriors; this is even more true when it comes to war waged in a digital landscape.

SCMagazineUK reported, “Telegram CEO Pavel Durov isn’t crazy for suspecting the Chinese government is targeting Telegram,” said Paul Bischoff, privacy advocate at, in emailed comments. “It wouldn’t be the first time that China has weaponised botnets… to target websites with DDoS attacks,” he added, referring to a wave of attacks against GitHub in 2015 that experts say targeted pages containing content or links to content that was banned in China.”

According to another publication, TechCrunch, “This isn’t the first time that someone has tried to take down Telegram at a time when China was experiencing significant unrest. Four years ago, a similar attack struck the company’s service, just as China was initiating a crackdown on human rights lawyers in the country.”

If the attack was politically motivated it would not be the first, or likely the last, DDoS attack motivated by such conflict. When launched by non-state actors, cyberattacks are more often a form of “political hacktivism;” but when performed by government agents they are considered to be “cyber warfare.” Obviously, DDoS attacks are detrimental either way; they can cripple Internet applications or websites, and can be used as a tool in broader cyber attacks. If a government has control over its country’s Internet service providers then they can ensure a targeted DDoS attack they generated does not get blocked, even if those providers do have mitigation technology. It’s impossible to block bad traffic at the network edge when the bad guys control the operators.

It’s not clear how Telegram coped with this attack; whether the hackers simply stopped, or if Telegram was able to re-route traffic to servers which were DDoS protected. The Telegram attack was an anomaly, with respect to the relatively huge volume of traffic sent in order to cripple the service. As revealed in Corero’s 2018 DDoS Trends Report, the vast majority of DDoS attacks, which are eminently capable of booting a web service offline, are not in the hundreds-of-gigabits per second range; 98% of attacks seen were actually less than 10Gbps in size. Such sub-saturating attacks that are often overlooked as “network noise”, for those without proper DDoS protection, but they are regularly just as damaging with their impact.

Regardless of the size of DDoS attacks, major telecommunications companies, enterprises and governments have reason for concern, because it doesn’t take a lot of coding or money to launch a DDoS attack—DDoS for hire services are incredibly cheap, and the attacks are easy to launch. Organizations of all types and sizes are vulnerable and should not wait until an attack happens before taking the steps to deploy DDoS protection.

Corero has been providing DDoS mitigation to telecommunications companies, managed security service providers, hosting providers and enterprises for over a decade; to learn how we can help your organization protect itself from DDoS attacks, contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.