Starting at the end of March, two services on the Internet inexplicably found themselves under a massive distributed denial-of-service (DDoS) attack of such intensity and duration that it was almost certainly state-sponsored. The two services, GreatFire and GitHub, were attacked for about two weeks.
According to a report from Citizen Lab, an interdisciplinary function of the Munk School of Global Affairs at the University of Toronto, the cyber-attack capability that struck the two sites is related to and probably located within the “Great Firewall” of China, and for this reason, the researchers named it the “Great Cannon.” Its first use was to attack those two sites apparently because they hosted things the Chinese government doesn’t like.
It’s no surprise that GreatFire has earned the enmity of the Chinese government. GreatFire says on its home page that it provides transparency to the Great Firewall of China by publishing information on blocked search terms and other activities by the government to limit Web access to users within China. GitHub may have been targeted because the site, which provides a software development and code-swapping service, includes code to evade Chinese censorship.
Researchers at Citizen Lab monitored the activities of the Great Cannon until the attacks stopped on April 8. Then the researchers produced a detailed report on exactly what China was doing and how they were doing it.
I’ll avoid getting too deeply into the technical details. For those, you can read the full Citizen Lab report. But what the Chinese attackers did was siphon off a small amount of traffic aimed at China’s top search engine, Baidu, and then send it back to the requesting computer as if it were a reply from the search engine. However, the packet stream contained malware that hijacked the requesting computer into a botnet aimed specifically at GreatFire and GitHub.
What’s most concerning about the capabilities of the Great Cannon is that it’s apparently capable of attacking any computer located anywhere and it can be used to insert malware remotely. However, at this point, it’s not capable of tapping into encrypted sessions, so users who go to an encrypted Website currently aren’t affected.
The analysis performed by the folks at Citizen Lab seems persuasive. The attack was directed by China, even though the computers being used to create the DDoS traffic were located worldwide.
This is the first time any government has performed such an attack so openly. While the Chinese attack used techniques that Citizen Lab’s researchers attribute to the U.S. National Security Agency and the U.K.’s Government Communications Headquarters (GCHQ), neither organization has openly and blatantly taken out publically available Websites.
China Unlimbers ‘Great Cannon’ to Block Web Content It Doesn’t Like
At this point, it’s unclear whether the Chinese action was a failed attempt to shut down the sites that were attacked, a warning to those sites to stop fighting China’s censorship or simply a demonstration of what the Chinese hackers can do if they choose. Regardless, the attacks are clearly an escalation in the cyber-war between China and its perceived adversaries around the world.
Perhaps, more importantly, they gave the lie to the call for cooperation, openness and global security standards by Chinese Vice Premier Ma Kai in the CeBIT opening ceremonies in Hannover, Germany, a few days earlier.
The problem, unfortunately, is that once the cyber-war is out in the open, there’s little reason to conceal it again. It appears that the Chinese, having gotten away with two very public attacks, believe they are free to do it again with impunity against targets of their choosing.
More worrisome is the possibility that the malware that the Great Cannon distributes next time could be something much worse and the results more dire than slowing access to a couple of Websites.
Once China crosses that line, what’s next? Will we see Chinese attacks out of the blue on news sites as they report on China? Will the Today show’s Website go offline when NBC News reports something about China that the government doesn’t like? Or, perhaps, the White House site will be attacked by the Great Cannon after the president gives a speech unfavorable to China.
China might decide that the repercussions of these attacks make them not worth doing. Or this could prove to be the opening round of a campaign to intimidate anything on the Internet that China doesn’t like.
But if those scenarios do turn out to be even partly true, how long will it take before the nations in the West take exception? How long before some nameless U.S. agency doubles down in retaliation?
Fortunately, there are things that will limit such attacks from taking over the Internet. Encrypted Websites are very common in the West, making it harder for the Chinese botnets to be set up. In addition, most modern cyber-security measures can detect the Chinese malware and eliminate it. There are also companies that provide cloud-based anti-DDoS services that can at least reduce the effectiveness of Chinese attacks.
Perhaps, it’s possible that Ma Kai’s wishes for cooperation on the Internet hadn’t been heard by the Chinese makers of the Great Cannon, and they will now be dissuaded from further attacks. But I’m not holding my breath.
I think that the same misdirection technique that the Great Cannon used to reroute packets is at the core of Chinese tactics to control Internet access and Web content it doesn’t like. They won’t give up until the rest of the world proves that they won’t stand for it.