Connect with us

Hi, what are you looking for?


Network Security

China Launches MitM Attack on Google Users

Chinese authorities want to keep tabs on the users of an education and research network so they have started intercepting encrypted traffic to and from Google’s servers, an organization that monitors online censorship in China reported on Thursday.

Chinese authorities want to keep tabs on the users of an education and research network so they have started intercepting encrypted traffic to and from Google’s servers, an organization that monitors online censorship in China reported on Thursday.

Google, just like many other popular websites, is blocked in China. However, since the search engine is highly valuable for research purposes, authorities allow access to it through CERNET, a nationwide education and research computer network.

However, according to the non-profit organization GreatFire, starting on August 28, CERNET users have been seeing warning messages about invalid SSL certificates when trying to access and Experts believe authorities have launched a man-in-the-middle (MitM) attack against the encrypted traffic between CERNET and Google to see what people are searching for.

Google Blocked in China“Instead of just outright blocking Google on CERNET, which would have raised the ire of students, educators and researchers across China, the authorities felt that a MITM attack would serve their purpose. By placing a man-in-the-middle, the authorities can continue to provide students and researchers access to Google while eavesdropping or blocking selective search queries and results,” GreatFire said in a blog post.

Netresec has analyzed two of the packet captures used in the attacks and it has determined that the operation was conducted from within China.

“It’s difficult to say exactly how the MITM attack was carried out, but we can dismiss DNS spoofing as the used method. A more probable method would be IP hijacking; either through a BGP prefix hijacking or some form of packet injection. However, regardless of how they did it the attacker would be able to decrypt and inspect the traffic going to Google,” Netresec researchers noted in a blog post.

This isn’t the first time Chinese authorities launch such attacks. In January 2013, GitHub users in China reported seeing warning messages about invalid certificates. At the time, experts assumed that the MitM attack was launched due to a petition asking that the creators of the “Great Firewall of China,” the country’s censorship system, be denied entry to the United States. The names of people who allegedly contributed to the technical infrastructure behind the censorship system was published on GitHub, which might have been the reason why authorities decided to target the website. 

Netresec says the MitM attack on Google is similar to the one launched last year against GitHub, but it’s not identical.

Advertisement. Scroll to continue reading.

While Chinese authorities are trying to keep a close eye on the country’s Internet users, recent reports show that the country’s cybercrime marketplace boomed last year.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...