Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

China Launches MitM Attack on Google Users

Chinese authorities want to keep tabs on the users of an education and research network so they have started intercepting encrypted traffic to and from Google’s servers, an organization that monitors online censorship in China reported on Thursday.

Chinese authorities want to keep tabs on the users of an education and research network so they have started intercepting encrypted traffic to and from Google’s servers, an organization that monitors online censorship in China reported on Thursday.

Google, just like many other popular websites, is blocked in China. However, since the search engine is highly valuable for research purposes, authorities allow access to it through CERNET, a nationwide education and research computer network.

However, according to the non-profit organization GreatFire, starting on August 28, CERNET users have been seeing warning messages about invalid SSL certificates when trying to access google.com and google.com.hk. Experts believe authorities have launched a man-in-the-middle (MitM) attack against the encrypted traffic between CERNET and Google to see what people are searching for.

Google Blocked in China“Instead of just outright blocking Google on CERNET, which would have raised the ire of students, educators and researchers across China, the authorities felt that a MITM attack would serve their purpose. By placing a man-in-the-middle, the authorities can continue to provide students and researchers access to Google while eavesdropping or blocking selective search queries and results,” GreatFire said in a blog post.

Netresec has analyzed two of the packet captures used in the attacks and it has determined that the operation was conducted from within China.

“It’s difficult to say exactly how the MITM attack was carried out, but we can dismiss DNS spoofing as the used method. A more probable method would be IP hijacking; either through a BGP prefix hijacking or some form of packet injection. However, regardless of how they did it the attacker would be able to decrypt and inspect the traffic going to Google,” Netresec researchers noted in a blog post.

This isn’t the first time Chinese authorities launch such attacks. In January 2013, GitHub users in China reported seeing warning messages about invalid certificates. At the time, experts assumed that the MitM attack was launched due to a petition asking that the creators of the “Great Firewall of China,” the country’s censorship system, be denied entry to the United States. The names of people who allegedly contributed to the technical infrastructure behind the censorship system was published on GitHub, which might have been the reason why authorities decided to target the website. 

Netresec says the MitM attack on Google is similar to the one launched last year against GitHub, but it’s not identical.

While Chinese authorities are trying to keep a close eye on the country’s Internet users, recent reports show that the country’s cybercrime marketplace boomed last year.

Advertisement. Scroll to continue reading.
Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...