Researchers at FireEye have discovered ties between a series of distributed denial-of-service (DDoS) attacks aimed at Hong Kong pro-democracy websites and advanced persistent threat (APT) activity coming from within China.

In a blog post, researchers asserted the attacks are tied to “previously observed APT activity, including Operation Poisoned Hurricane.” They discovered several binaries that are coded to “receive instructions from a set of command and control (C2) servers instructing participating bots to attack” websites owned by Next Media as well as the HKGolden forum that has been used to organize protests.

“Each sample we identified is signed with digital certificates that have also been used by APT actors to sign binaries in previous intrusion operations,” researchers noted.

While the evidence doesn’t prove the DDoS attackers are behind intrusion activity, “it may indicate that a common quartermaster supports both…,” experts said.