Hong Kong protests in June 2019 brought as many as two million demonstrators onto the streets to fight a planned extradition law that would allow mainland China’s government to pull dissenters from Hong Kong for charging in Beijing. These mass demonstrations were largely coordinated through Telegram, an app that provides end-to-end encryption and the ability to manage communications for very large groups.
On 12 June, in the midst of the demonstrations, Telegram was subjected to a DDoS attack featuring a bombardment of data at up to 350 Gbps over a total of 22 hours. Although customers worldwide reported some disruption, this attack had no obvious effect on the Hong Kong demonstrations.
Technical analysis of the DDoS attack did not point to any specific actor. Pavel Durov, founder of Telegram, reported that the IP addresses used in the attack were mostly in China. Beyond that, there is a circumstantial case that the Chinese government took action in the cyber realm to disrupt those demonstrations. First, the protests were explicitly directed at Beijing’s attempt to establish an extradition regime with Hong Kong. Beijing had also criticized the demonstrations in official media and social media. Durov himself believed that the scale of the attack reflected the capabilities of a state actor. In addition, a similar DDoS attack was conducted against Telegram in 2015 when the app was being used inside China by human rights activists. Telegram was even associated with the activists in official Chinese media while that attack was going on.
If China, largely regarded as a major cyber power, was the actor behind these attacks, this could hardly be called a successful operation. No notable disruption in protester coordination was reported. The demonstrations went on for many more days, grew in size, and succeeded in forcing the Hong Kong government to back away from action on the extradition bill.