Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

China Launches MitM Attack on Google Users

Chinese authorities want to keep tabs on the users of an education and research network so they have started intercepting encrypted traffic to and from Google’s servers, an organization that monitors online censorship in China reported on Thursday.

Chinese authorities want to keep tabs on the users of an education and research network so they have started intercepting encrypted traffic to and from Google’s servers, an organization that monitors online censorship in China reported on Thursday.

Google, just like many other popular websites, is blocked in China. However, since the search engine is highly valuable for research purposes, authorities allow access to it through CERNET, a nationwide education and research computer network.

However, according to the non-profit organization GreatFire, starting on August 28, CERNET users have been seeing warning messages about invalid SSL certificates when trying to access google.com and google.com.hk. Experts believe authorities have launched a man-in-the-middle (MitM) attack against the encrypted traffic between CERNET and Google to see what people are searching for.

Google Blocked in China“Instead of just outright blocking Google on CERNET, which would have raised the ire of students, educators and researchers across China, the authorities felt that a MITM attack would serve their purpose. By placing a man-in-the-middle, the authorities can continue to provide students and researchers access to Google while eavesdropping or blocking selective search queries and results,” GreatFire said in a blog post.

Netresec has analyzed two of the packet captures used in the attacks and it has determined that the operation was conducted from within China.

“It’s difficult to say exactly how the MITM attack was carried out, but we can dismiss DNS spoofing as the used method. A more probable method would be IP hijacking; either through a BGP prefix hijacking or some form of packet injection. However, regardless of how they did it the attacker would be able to decrypt and inspect the traffic going to Google,” Netresec researchers noted in a blog post.

This isn’t the first time Chinese authorities launch such attacks. In January 2013, GitHub users in China reported seeing warning messages about invalid certificates. At the time, experts assumed that the MitM attack was launched due to a petition asking that the creators of the “Great Firewall of China,” the country’s censorship system, be denied entry to the United States. The names of people who allegedly contributed to the technical infrastructure behind the censorship system was published on GitHub, which might have been the reason why authorities decided to target the website. 

Netresec says the MitM attack on Google is similar to the one launched last year against GitHub, but it’s not identical.

While Chinese authorities are trying to keep a close eye on the country’s Internet users, recent reports show that the country’s cybercrime marketplace boomed last year.

Advertisement. Scroll to continue reading.
Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.