A few weeks ago Github was the target of a malicious distributed denial of service (DDoS) attack focusing on pages owned by pro-Chinese free speech websites.
Now, researchers at the University of Toronto’s Citizen Lab have released a bombshell report about a Chinese cyberweapon they have dubbed “The Great Cannon,” which appears to be the source of the attacks.
The researchers began looking into the bizarre Github attack as soon as it happened.
Bill Marczak, the lead researcher at Citizen Lab, explained to Business Insider that as soon as they saw the strange traffic patterns causing the DDoS attacks, they thought, “Oh, this was interesting.”
What was interesting, explained fellow co-lead Nicholas Weaver of UC Berkeley, was that they observed traffic being blocked. Whatever was happening to Github was blocking communication.
China has been known for years for its Great Firewall, which was the huge censoring filter the regime imposes on all web users using its networks. But while the Great Firewall is a tool for censorship, it never blocks communication.
Then, they set out to see if they could duplicate the attack.
The researchers concluded that the Great Cannon is “a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.”
In laymen’s terms this means that anyone visiting an unsecure website could unwittingly be used as a tool in cyberwarfare. Any web user that visits an unencrypted Chinese website could be have code injected into their systems before they reached the site, which would cause the web user to be part of a DDoS attack.
Even more frightening is the potential the Great Cannon could have as a spying tool. “With a few tweaks, the Great Cannon could be used to spy on anyone who happens to fetch content hosted on a Chinese computer, even by visiting a non-Chinese website that contains Chinese advertising content,” the New York Times writes.
The two researchers have slightly different backgrounds, but their expertise met when they analysed these attacks.
Weaver has been studying the Great Firewall for quite a while. His academic interest focuses on network measurement and how online communication. China’s censorship has been around for so long and so well-known, that it was a great way for him to test how internet censorship works.
Marczak’s background is primarily in regimes and organisations launching active cyber attacks. Thus, a project involving China — who is known for surveillance and censorship — was somewhat new to him. “I focus on the Middle East,” he told Business Insider. “How governments are working to hack dissidents and spy on them.”
What makes the Great Cannon so interesting is that it’s a sort of Janus-faced attack mechanism. Its internal coding can be used to both redirect traffic to launch full-on assaults on unsuspecting web victims, but it can also be used for surveillance. Indeed, the report noted a huge similarity to the Quantum system, which was reportedly used to help the NSA and British authorities perform targeted surveillance.
Marczak explained such a tool being used by huge governments isn’t necessarily surprising. In fact, he’s seen private companies sell similar surveillance tools to regimes.
Weaver was alarmed by the way the DDoS attack tool could easily change to spy tool. “It’s a trivial change to have this device exploit individual computers,” he said.
They also noted how brazen China was with the tool. Once the Github attacks had been mitigated, China didn’t stop. “The injection happened well after the time GitHub mitigated the attack,” said Marczak.
This, to him, meant China didn’t care if anyone saw. In fact, it’s likely China wanted to be seen.
“It was a very public demonstration of the capability,” Marczak concluded.