Chinese hackers used malicious software to monitor journalists and activist groups involved in the Hong Kong protests this year, according to new research from the cybersecurity company FireEye. Attackers used Dropbox and other cloud storage providers to communicate malware after targeting users with a phishing message.

The hackers launched a spearphishing campaign, which involves targeting a specific person with an email that appears to be from a known source, against Hong Kong-based media organizations and protest leaders in August 2015. There is evidence of Beijing’s concern with Hong Kong, where 79 days of pro-democracy demonstrations brought the semi-autonomous city to a halt in 2014. FireEye stopped short of directly linking the Chinese government to the hack but stipulated the attack had the sophistication level of a nation state.

“The media organizations targeted with the threat group’s well-crafted Chinese-language lure documents are precisely those whose networks Beijing would seek to monitor,” FireEye said in a blog post published Tuesday. “Cyberthreat groups’ access to the media organization’s networks could potentially provide the government advance warning on upcoming protests, information on pro-democracy group leaders, and insights needed to disrupt activity on the Internet, such as what occurred in mid-2014 when several websites were brought down in denial-of-service attacks.”

Hong Kong Dropbox Figure 1 A FireEye screenshot of the message used against independent media in Hong Kong. Photo: FireEye

Hong Kong activists already try to keep ahead of surveillance by using multiple mobile phones, encrypted messaging apps, ephemeral messaging apps and codewords to schedule in-person meetings. As journalists and activists started to become more careful with email, hackers began attaching malware to files in Dropbox and other cloud providers. Dropbox did not immediately respond to a request for comment, though the company’s involvement in the investigation helped FireEye determine that the August attack might be part of a larger trend conducted by admin@338, a known cyberthreat actor.

“Our cooperation uncovered what appears to be a second, ongoing operation, though we lack sufficient evidence to verify if admin@338 is behind it,” FireEye said. “The attack lifecycle followed the same pattern, though some of the filenames were different, which indicates that there may be multiple versions of the malware. In addition, while the operation targeting Hong Kong-based media involved a smaller number of targets and limited duration, we suspect this second operation involves up to 50 targets.”

China has consistently denied involvement in major hacking campaigns against its own citizens as well as international entities. FireEye’s research comes after U.S. officials told the Washington Post that China’s civilian spy agency, the Ministry of State Security, continues to conduct major commercial espionage action against U.S. companies. China and the U.S. agreed in September not to conduct or support the theft of intellectual property.