Security Experts:

Great Cannon: Attack Tool Used by China for Censorship Enforcement

“Great Cannon” Is the Tool Used by China to Launch DDoS Attacks on GitHub and GreatFire

Researchers have analyzed a new offensive system that they believe has been used by the Chinese government in the recent distributed denial-of-service (DDoS) attacks against GitHub and the anti-censorship organization GreatFire.

According to Citizen Lab researchers at the University of Toronto, the new tool, dubbed “Great Cannon,” is co-located with the Chinese government’s notorious Great Firewall censorship system. However, Great Cannon is a separate system with different capabilities and design.

The man-in-the-middle (MitM) tool is designed to inject malicious packets into unencrypted traffic. It can be used both for DDoS attacks, as demonstrated by the recent incidents, and to deliver exploits to computers outside of China that communicate with a Chinese website that doesn’t fully encrypt traffic.

In the attacks against GreatFire and GitHub, the attackers injected malicious JavaScript into Baidu connections. In these attacks, Great Cannon intercepted traffic going to Baidu servers hosting analytics, advertising and social script. When a connection coming from outside China was detected, the request was dropped and a malicious script was sent back to the user.

Citizen Lab says roughly 2% of the requests were altered to serve malicious JavaScript. The script in question was designed to enlist infected computers as participants in the DDoS attacks against GreatFire’s website and the organization’s GitHub repositories.

It’s worth noting that China briefly blocked GitHub back in 2013, but the block was quickly lifted after local programmers protested against the decision.

Baidu has denied taking part in the attack. Furthermore, the company claims its systems have not been compromised.

“The incorporation of Baidu in this attack suggests that the Chinese authorities are willing to pursue domestic stability and security aims at the expense of other goals, including fostering economic growth in the tech sector. Selecting Baidu’s international traffic may appear counterproductive given the importance of Baidu to the Chinese economy: the company enjoys stature as one of China’s ‘big three’ Internet firms, alongside Alibaba and Tencent, and currently ranks as the top site in China,” Citizen Lab wrote in its report.

Citizen Lab researchers have analyzed a fraction of the IP addresses used in the DDoS attack against GreatFire.com. Of a total of roughly 13,000 unique IP addresses, nearly 6,000 were traced to Taiwan, followed by Hong Kong (over 3,000 IPs), the United States (800 IPs), Malaysia (750 IPs) and Australia (350 IPs).

When asked about its involvement in the attack against GitHub, China didn’t give a direct response. Instead, representatives of the Chinese government said it’s “quite odd” that China is always blamed for cyberattacks against websites in the US and other countries, and they reiterated that the country is one of the major victims of hacker attacks.

However, Citizen Lab says there is clear evidence connecting the Great Cannon to the Chinese government and the Great Firewall of China. Experts say the Great Cannon is co-located with the Great Firewall and the tools share some source code.

“The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users,” researchers noted.

While so far the Great Cannon has only been seen in action in the recent DDoS attacks, the design of the tool enables its operators to deliver malware to targeted individuals who communicate with Chinese servers that don’t use HTTPS, experts said.

Citizen Lab has pointed out that the United States National Security Agency (NSA) and the United Kingdom’s Government Communications Headquarters (GCHQ) have also reportedly tampered with unencrypted Web traffic as part of a program dubbed “QUANTUM.” Several other governments are also likely involved in such activities considering that companies such as Hacking Team and FinFisher provide similar tools to authorities worldwide.

view counter
Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.