Honker’s Union of China (HUC): Quantity and Quality

China’s got a unique hacker culture…

BLUF: HUC began as a nationalist hacking collective, loosely organized, and operating on a strict meritocracy. I assess that they have further fragmented and have the potential to operate on a higher level of reactivity, with the potential for quantity-and-quality attacks akin to a blitzkrieg of targeted, special forces operations.

If you asked the normal, culture-savvy hacker in the West about hacktivist groups, 10/10 of them would likely mention Anonymous or one of their sects. There isn’t too much visibility into the hacking society of more remote cultures like China’s. There is an assumption that, because of their economic crises in the 1900s, there isn’t much of a hacking culture in the country’s average population, and that they are just now starting to catch up to the West in that regard.

I penned an article earlier, one that is going to serve as the basis of future research on the group, about China’s Green Army. That was a particular collective with a set, known hierarchy. This differs the group from Anonymous and the subject of this article, the Honker’s Union of China.

I touched on HUC a lot in my previous Chinese Threat Intelligence articles. I would recommend reading those over before this article, as the previous articles serve as the historical basis of this one. This article will instead focus on the modern state of the HUC, garnered from OSINT research, prior experience, etc.

The Honker’s Union of China, generally defined by their longstanding forum, is a Chinese language hacking group, associated with Chinese nationalism, attacks against Western government and private entities in response to political upheaval, and reactionary, quantity-over-quality attacks against targets that generally align with Communist Party rivals. They aren’t necessarily only a singular group: they’re more of a collection of smaller groups with different specific aims, almost a mirror image of the structure of the Anonymous collective.

Now, though, HUC has changed. They are fragmented, divided between several different forums, with differing levels of activity. The oldest one, registered by Li0n himself, is largely inactive, and other popular versions that have emerged over the years seem to have sporadic activity. There exists underground sites, ones hosted on the Tor network, that seem to have a criminal slant, but my assessment is that the HUC has gone the way of the rest of China’s hackerspace.

China’s criminal and research hackerspace has largely moved to QQ and WeChat group messages, likely to avoid censorship and surveillance and to adhere to their Master/Apprentice hierarchy. Chinese hacking syndicates seem to operate in closed, invite-only groups, consisting of numerous “apprentices” with a lower-level understanding of security topics and higher-level “masters” that lead the groups’ activities. The apprentices seem to practice their trade by taking care of the more menial activities like processing card dumps, running network scans, writing phishing emails, and other lower-level activities, while the masters direct the “activities” and take care of the higher-capability actions like exploitation and CNO.

It’s very likely that HUC has followed this hierarchical change, as they naturally fell into it from the beginning. HUC depended on quantity-over-quality attacks like email bombs, DDoS attacks, and mass web defacements. This had the added benefit of disguising more advanced threats, like intrusions for the sake of IP theft and the stealing of confidential information, in the cloud of low-capability mass attacks. They operated on an understood meritocracy, with one’s advanced attacks earning a higher reputation. Many of their current sites operate in a similar manner, with “XP” points on forums acting as a sort of currency to buy new tools, take part in new discussions, etc.

HUC’s fragmentation does not mean they are less of a threat. I argue that it may be the opposite. Fragmentation does not eliminate the capability of advanced actors, and the Master/Apprentice hierarchy allows for the training of new ones. It allows for even more reactivity, with fragmentation, lack of centralized communications, and lack of organizational structure facilitating high quantities of advanced operations by actors with differing TTPs, differing motives and targets, and differing levels of expertise.