5% of Hong Kong critical infrastructure had ‘system vulnerabilities' in 2024, police cybersecurity report finds
Credential leakage and compromise, hijackable subdomains, and exposed cloud storage were three critical and high-risk vulnerabilities identified in the systems of some key infrastructure facilities in Hong Kong last year, the Cyber Security and Technology Crime Bureau (CSTCB) said in its Cybersecurity Report released on Sunday.
The 36-page document was the CSTCB's first report on cybersecurity issues in Hong Kong and around the world.
The bureau found that 89 per cent of the system vulnerabilities identified during the Internet-facing Assets Security Assessment conducted last year on key infrastructure were of medium or low risk.
The remaining 11 per cent were critical and high-risk vulnerabilities.
One of the medium- and low-risk vulnerabilities identified was email servers of key infrastructure being blacklisted. The CSTCB said it may indicate a compromise and possible integration into a botnet – a network of computers or devices infected with malicious software and remotely controlled by a cybercriminal or hacker.
Other low-risk vulnerabilities included invalid or outdated cybersecurity certificates, weak cryptographic keys, unrestricted ports that can be exploited for malicious purposes, and hosting internal or sensitive systems on publicly accessible webpages.
'After the vulnerability testing, all identified system vulnerabilities were promptly patched, and the affected organisation [has] significantly enhanced their system security levels,' the report read.
The CSTCB also reported that it 'processed over 25 million pieces of cyber threat intelligence' last year. Among these, around 440,000 specifically targeted Hong Kong.
In addition, more than 280,000 phishing-related threats were detected in the past year. Phishing tactics can be used to conduct scams or serve as entry points for broader cyberattacks, the CSTCB warned.
In some cases, perpetrators used phishing to hijack WhatsApp accounts in Hong Kong. The CSTCB recorded 2,547 cases of WhatsApp hijacking, which resulted in losses reaching HK$73.5 million.
Sixty-five hacking incidents were recorded last year, with financial losses totalling HK$25.5 million. The number of ransomware cases stood at 46, with victims extorted for up to HK$38.8 million in total.
The CSTCB also handled five cases of Distributed Denial-of-Service (DDoS) attacks, which resulted in losses of up to HK$4.6 million.
'Despite the large volume of cyber threat intelligence collected, the number of successful attacks remained comparatively low,' the report read.
The CSTCB called on enterprises to learn from previous cybersecurity breaches and tackle issues such as inadequate access control and configuration, outdated and unpatched systems, and the lack of an effective threat detection mechanism, as some victim organisations took nearly 260 days to identify and contain a data breach.
In March, Hong Kong passed a law to enhance safeguards for the city's key infrastructure systems against cyberattacks, imposing fines of up to HK$5 million for cybersecurity lapses.
Under the law, critical infrastructure covers eight sectors: energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting.
The term also refers to infrastructures 'for maintaining important societal and economic activities,' including research and development parks and major sports and performance venues.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
HKFP
an hour ago
- HKFP
Man found guilty of desecrating Chinese, Hong Kong flags seeks to overturn conviction at city's apex court
A Hong Kong man with autism who was found guilty of desecrating flags on National Day three years ago has sought to overturn his conviction at the city's top court. Wong Chun-lok, who was 19 at the time, was said to have publicly and intentionally desecrated a national flag and four Hong Kong flags on October 1, 2022, in Sham Shui Po by bending the flagpoles. The defendant denied the charges and said he had been triggered by the bright colours of the flags, InMedia reported. He was sentenced to a rehabilitation centre in June 2023, after a magistrates' court ruled that he was guilty, saying he 'chose' to desecrate the flags and that it was a 'serious' offence. Rehabilitation centres are for young offenders between the ages of 14 and 20 who have not previously been sentenced to institutions, including prisons, training centres, or detention centres. The maximum sentence is nine months. Wong is now attempting to appeal his conviction at the Court of Final Appeal (CFA). According to the CFA's website, Wong has submitted an application to challenge the verdict, but no date for the hearing has yet been scheduled. Previous appeal attempt In March, Wong tried to challenge his conviction at the High Court, where his legal representative argued that the trial magistrate had not properly considered Wong's 'special conditions' and how they might have affected his intention to commit the offence. His representative also said Wong's previous lawyer had not requested the court to accommodate Wong's needs, such as asking him to give testimony at a slower pace, given his language level was estimated to be only at a primary four level. High Court Judge Frankie Yiu shot down the legal challenge. The judge said that the magistrate took into account Wong's mental disorder but did not accept his testimony because Wong said in court that he was targeting the flagpoles, yet in his earlier statements before the trial, he said he wanted to tear apart the flags. 'There is nothing wrong with the magistrate refusing to accept his evidence because [the defendant] gave completely different explanations,' Yiu wrote in Chinese, explaining his reasons for dismissing the appeal. Hong Kong amended the National Flag and National Emblem Ordinance in September 2021, which outlaws the desecration of the Chinese national flag and national emblem on the internet. The offence carries a maximum penalty of a HK$50,000 fine and three years behind bars.
HKFP
17 hours ago
- HKFP
Fans of K-pop star G-Dragon scammed out of HK$610k in fake tickets for Hong Kong concerts
Fans of South Korean pop star Kwon Ji-yong, also known as G-Dragon, were scammed out of more than HK$610,000 worth of fake tickets to his sold-out Hong Kong concerts, police said. Since mid-July, police have received over 200 reports of suspected ticket scams, with nearly 30 cases linked to G-Dragon's world tour stop in the city this week, according to a Facebook post by CyberDefender, a unit under the Cyber Security and Technology Crime Bureau. While police did not disclose the total number of victims, the force said one woman paid HK$8,000 for two scalped tickets – originally priced at HK$2,399 each. The seller later demanded more money to 'secure the tickets,' and the woman eventually paid more than HK$180,000 in three transactions. The seller then became unreachable. 'As a concert approaches, social media will inevitably be flooded with suspicious ticket posts – including scalped tickets, fake tickets or no tickets at all,' the Facebook post in Chinese warned. 'Before making any payment, check the seller's background. Search their phone number, bank account number, and page name, and look out for negative reviews.' Local media reported that the police handled more than 800 ticket scam cases last month, involving concert tickets, theme park tickets, flight tickets, various ball game tickets and tickets for meet and greet with celebrities. The total loss amounted to more than HK$4 million. In June, eight people were arrested for allegedly selling high-quality counterfeit tickets to concerts of Cantopop singer Nicholas Tse, Taiwanese singer Jay Chou, and four other artists. The eight suspects were part of a cross-border syndicate involved in at least 40 suspected scams, according to local media. The total loss stood at around HK$650,000. Police said at the time that the syndicate had a clear division of labour, with the mastermind using different social media platforms to post advertisements or photos of tickets with average resolution. They would also cover part of the ticket's front to make it difficult for the public to verify its authenticity. Printing factories were used to mass-produce the fake tickets, while the syndicate would recruit people to meet the buyers in person to complete the transactions. The scammers would also present forged QR codes and doctored screenshots of fake official purchase records to win the trust of buyers.
HKFP
19 hours ago
- HKFP
Hong Kong cancels passports of 12 activists wanted under nat. sec law after involvement with overseas group
The Hong Kong government has cancelled the passports of 12 'absconders' under the Beijing-imposed national security law, just over a week after the authorities issued a round of warrants and bounties for their arrests. The 12 were among 19 people for whom national security police issued arrest warrants last month for organising or participating in the 'Hong Kong Parliament.' The group held unofficial polls outside the city, which sought to form a shadow legislature to 'pursue the ideal of Hong Kong people ruling Hong Kong.' The group vowed to 'uphold the core value of popular sovereignty,' as well as 'oppose one-party rule and tyranny.' According to a government statement released on Monday, the 12 wanted individuals whose passports have been cancelled are: Victor Ho, Chan Lai-chun, Tsang Wai-fan, Chin Po-fun, Paul Ha, Hau Chung-yu, Ho Wing-yau, Keung Ka-wai, Tony Lam, Agnes Ng, Wong Chun-wah, and Wong Sau-wo. Those 12 activists, along with Feng Chongyi, Sasha Gong, Ng Man-yan, and Zhang Xinyan, have been charged with subversion for their involvement in the unofficial shadow legislature. The national security authorities also issued orders prohibiting the 16 individuals from dealing with funds in Hong Kong, and banning activities connected to immovable property and joint ventures or partnerships linked to the activists. The authorities also served an order to have Keung and Victor Ho removed as company directors temporarily. The 16 activists were named alongside three other activists – Elmer Yuen, Johnny Fok, and Tony Choi – when the authorities announced that 19 people were wanted for organising or participating in the overseas parliament. Victor Ho, along with Yuen, Fok, and Choi, was already wanted by Hong Kong authorities before last month's announcement. The four have larger bounties worth HK$1 million on their heads. Yuen's passport was cancelled by the authorities in December, along with those of six other overseas activists. Funding prohibited 'These lawless wanted criminals are hiding in the United Kingdom, the United States, Canada, Germany, Australia, Thailand, China's Taiwan region, etc, and continue to blatantly engage in activities that endanger national security,' a government spokesperson said on Monday. Providing funds, assets, or economic resources available to the wanted individuals, or dealing with funds owned or controlled by them, including through online platforms or dedicated pages, constitutes an offence punishable by up to seven years in prison. Subversion is one of the offences under Beijing's national security legislation in Hong Kong, which was inserted directly into Hong Kong's mini-constitution in June 2020, following a year of pro-democracy protests and unrest. The law also criminalises secession, collusion with foreign forces and terrorist acts – broadly defined to include disruption to transport and other infrastructure. The move gave police sweeping new powers and led to hundreds of arrests amid new legal precedents, while dozens of civil society groups disappeared. The authorities say it restored stability and peace to the city, rejecting criticism from trade partners, the UN and NGOs.
