China Unlimbers 'Great Cannon' to Block Web Content It Doesn't Like

By Wayne Rash  |  Posted 2015-04-12 Print this article Print
Great Cannon

NEWS ANALYSIS: China's cyber-warriors try out new attack technology to take out sites it doesn't like, apparently using lessons it learned from the U.S. and U.K.

Starting at the end of March, two services on the Internet inexplicably found themselves under a massive distributed denial-of-service (DDoS) attack of such intensity and duration that it was almost certainly state-sponsored. The two services, GreatFire and GitHub, were attacked for about two weeks.

According to a report from Citizen Lab, an interdisciplinary function of the Munk School of Global Affairs at the University of Toronto, the cyber-attack capability that struck the two sites is related to and probably located within the "Great Firewall" of China, and for this reason, the researchers named it the "Great Cannon." Its first use was to attack those two sites apparently because they hosted things the Chinese government doesn't like.

It's no surprise that GreatFire has earned the enmity of the Chinese government. GreatFire says on its home page that it provides transparency to the Great Firewall of China by publishing information on blocked search terms and other activities by the government to limit Web access to users within China. GitHub may have been targeted because the site, which provides a software development and code-swapping service, includes code to evade Chinese censorship.

Researchers at Citizen Lab monitored the activities of the Great Cannon until the attacks stopped on April 8. Then the researchers produced a detailed report on exactly what China was doing and how they were doing it.

I'll avoid getting too deeply into the technical details. For those, you can read the full Citizen Lab report. But what the Chinese attackers did was siphon off a small amount of traffic aimed at China's top search engine, Baidu, and then send it back to the requesting computer as if it were a reply from the search engine. However, the packet stream contained malware that hijacked the requesting computer into a botnet aimed specifically at GreatFire and GitHub.

What's most concerning about the capabilities of the Great Cannon is that it's apparently capable of attacking any computer located anywhere and it can be used to insert malware remotely. However, at this point, it's not capable of tapping into encrypted sessions, so users who go to an encrypted Website currently aren't affected.

The analysis performed by the folks at Citizen Lab seems persuasive. The attack was directed by China, even though the computers being used to create the DDoS traffic were located worldwide.

This is the first time any government has performed such an attack so openly. While the Chinese attack used techniques that Citizen Lab's researchers attribute to the U.S. National Security Agency and the U.K.'s Government Communications Headquarters (GCHQ), neither organization has openly and blatantly taken out publically available Websites.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel