Security Experts:

Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

Great Cannon: Attack Tool Used by China for Censorship Enforcement

“Great Cannon” Is the Tool Used by China to Launch DDoS Attacks on GitHub and GreatFire

“Great Cannon” Is the Tool Used by China to Launch DDoS Attacks on GitHub and GreatFire

Researchers have analyzed a new offensive system that they believe has been used by the Chinese government in the recent distributed denial-of-service (DDoS) attacks against GitHub and the anti-censorship organization GreatFire.

According to Citizen Lab researchers at the University of Toronto, the new tool, dubbed “Great Cannon,” is co-located with the Chinese government’s notorious Great Firewall censorship system. However, Great Cannon is a separate system with different capabilities and design.

The man-in-the-middle (MitM) tool is designed to inject malicious packets into unencrypted traffic. It can be used both for DDoS attacks, as demonstrated by the recent incidents, and to deliver exploits to computers outside of China that communicate with a Chinese website that doesn’t fully encrypt traffic.

In the attacks against GreatFire and GitHub, the attackers injected malicious JavaScript into Baidu connections. In these attacks, Great Cannon intercepted traffic going to Baidu servers hosting analytics, advertising and social script. When a connection coming from outside China was detected, the request was dropped and a malicious script was sent back to the user.

Citizen Lab says roughly 2% of the requests were altered to serve malicious JavaScript. The script in question was designed to enlist infected computers as participants in the DDoS attacks against GreatFire’s website and the organization’s GitHub repositories.

It’s worth noting that China briefly blocked GitHub back in 2013, but the block was quickly lifted after local programmers protested against the decision.

Baidu has denied taking part in the attack. Furthermore, the company claims its systems have not been compromised.

“The incorporation of Baidu in this attack suggests that the Chinese authorities are willing to pursue domestic stability and security aims at the expense of other goals, including fostering economic growth in the tech sector. Selecting Baidu’s international traffic may appear counterproductive given the importance of Baidu to the Chinese economy: the company enjoys stature as one of China’s ‘big three’ Internet firms, alongside Alibaba and Tencent, and currently ranks as the top site in China,” Citizen Lab wrote in its report.

Citizen Lab researchers have analyzed a fraction of the IP addresses used in the DDoS attack against Of a total of roughly 13,000 unique IP addresses, nearly 6,000 were traced to Taiwan, followed by Hong Kong (over 3,000 IPs), the United States (800 IPs), Malaysia (750 IPs) and Australia (350 IPs).

When asked about its involvement in the attack against GitHub, China didn’t give a direct response. Instead, representatives of the Chinese government said it’s “quite odd” that China is always blamed for cyberattacks against websites in the US and other countries, and they reiterated that the country is one of the major victims of hacker attacks.

However, Citizen Lab says there is clear evidence connecting the Great Cannon to the Chinese government and the Great Firewall of China. Experts say the Great Cannon is co-located with the Great Firewall and the tools share some source code.

“The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users,” researchers noted.

While so far the Great Cannon has only been seen in action in the recent DDoS attacks, the design of the tool enables its operators to deliver malware to targeted individuals who communicate with Chinese servers that don’t use HTTPS, experts said.

Citizen Lab has pointed out that the United States National Security Agency (NSA) and the United Kingdom’s Government Communications Headquarters (GCHQ) have also reportedly tampered with unencrypted Web traffic as part of a program dubbed “QUANTUM.” Several other governments are also likely involved in such activities considering that companies such as Hacking Team and FinFisher provide similar tools to authorities worldwide.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The owner of China-based cryptocurrency exchange Bitzlato was arrested in Miami along with five associates in Europe


Russian Vladislav Klyushin made tens of millions of dollars by hacking into U.S. computer networks to steal insider information.


A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...