Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Tracking & Law Enforcement

Great Cannon: Attack Tool Used by China for Censorship Enforcement

“Great Cannon” Is the Tool Used by China to Launch DDoS Attacks on GitHub and GreatFire

“Great Cannon” Is the Tool Used by China to Launch DDoS Attacks on GitHub and GreatFire

Researchers have analyzed a new offensive system that they believe has been used by the Chinese government in the recent distributed denial-of-service (DDoS) attacks against GitHub and the anti-censorship organization GreatFire.

According to Citizen Lab researchers at the University of Toronto, the new tool, dubbed “Great Cannon,” is co-located with the Chinese government’s notorious Great Firewall censorship system. However, Great Cannon is a separate system with different capabilities and design.

The man-in-the-middle (MitM) tool is designed to inject malicious packets into unencrypted traffic. It can be used both for DDoS attacks, as demonstrated by the recent incidents, and to deliver exploits to computers outside of China that communicate with a Chinese website that doesn’t fully encrypt traffic.

In the attacks against GreatFire and GitHub, the attackers injected malicious JavaScript into Baidu connections. In these attacks, Great Cannon intercepted traffic going to Baidu servers hosting analytics, advertising and social script. When a connection coming from outside China was detected, the request was dropped and a malicious script was sent back to the user.

Citizen Lab says roughly 2% of the requests were altered to serve malicious JavaScript. The script in question was designed to enlist infected computers as participants in the DDoS attacks against GreatFire’s website and the organization’s GitHub repositories.

It’s worth noting that China briefly blocked GitHub back in 2013, but the block was quickly lifted after local programmers protested against the decision.

Baidu has denied taking part in the attack. Furthermore, the company claims its systems have not been compromised.

Advertisement. Scroll to continue reading.

“The incorporation of Baidu in this attack suggests that the Chinese authorities are willing to pursue domestic stability and security aims at the expense of other goals, including fostering economic growth in the tech sector. Selecting Baidu’s international traffic may appear counterproductive given the importance of Baidu to the Chinese economy: the company enjoys stature as one of China’s ‘big three’ Internet firms, alongside Alibaba and Tencent, and currently ranks as the top site in China,” Citizen Lab wrote in its report.

Citizen Lab researchers have analyzed a fraction of the IP addresses used in the DDoS attack against GreatFire.com. Of a total of roughly 13,000 unique IP addresses, nearly 6,000 were traced to Taiwan, followed by Hong Kong (over 3,000 IPs), the United States (800 IPs), Malaysia (750 IPs) and Australia (350 IPs).

When asked about its involvement in the attack against GitHub, China didn’t give a direct response. Instead, representatives of the Chinese government said it’s “quite odd” that China is always blamed for cyberattacks against websites in the US and other countries, and they reiterated that the country is one of the major victims of hacker attacks.

However, Citizen Lab says there is clear evidence connecting the Great Cannon to the Chinese government and the Great Firewall of China. Experts say the Great Cannon is co-located with the Great Firewall and the tools share some source code.

“The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users,” researchers noted.

While so far the Great Cannon has only been seen in action in the recent DDoS attacks, the design of the tool enables its operators to deliver malware to targeted individuals who communicate with Chinese servers that don’t use HTTPS, experts said.

Citizen Lab has pointed out that the United States National Security Agency (NSA) and the United Kingdom’s Government Communications Headquarters (GCHQ) have also reportedly tampered with unencrypted Web traffic as part of a program dubbed “QUANTUM.” Several other governments are also likely involved in such activities considering that companies such as Hacking Team and FinFisher provide similar tools to authorities worldwide.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.

Register

As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.

Register

Expert Insights

Related Content

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

Daniel Kelley was just 18 years old when he was arrested and charged on thirty counts – most infamously for the 2015 hack of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Cybercrime

Spanish Court agreed to extradite Joseph James O’Connor to he U.S., who allegedly took part in the July 2020 hacking of Twitter accounts of...

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Cybercrime

A global cyber espionage campaign has resulted in the networks of many organizations around the world becoming compromised after the attackers managed to breach...