By Nicole Perlroth
Sydney Morning Herald
SAN FRANCISCO: Late last month, China began flooding US websites with a barrage of internet traffic in an apparent effort to take out services that allow China’s internet users to view websites otherwise blocked in the country.
Initial security reports suggested that China had crippled the services by exploiting its own internet filter – known as the Great Firewall – to redirect overwhelming amounts of traffic to its targets.
Now, researchers at the University of California, Berkeley, and the University of Toronto say China did not use the Great Firewall after all, but rather a powerful new weapon that they are calling the Great Cannon.
The Great Cannon, the researchers said in a report published on Friday, allows China to intercept foreign web traffic as it flows to Chinese websites, inject malicious code and repurpose the traffic as Beijing sees fit.
The system was used, they said, to intercept web and advertising traffic intended for Baidu – China’s biggest search engine company – and fire it at GitHub, a popular site for programmers, and GreatFire.org, a nonprofit that runs mirror images of sites that are blocked inside China.
The attacks against the services continued on Thursday, the researchers said, even though both sites appeared to be operating normally.
But the researchers suggested that the system could have more powerful capabilities. With a few tweaks, the Great Cannon could be used to spy on anyone who happens to fetch content hosted on a Chinese computer, even by visiting a non-Chinese website that contains Chinese advertising content.
“The operational deployment of the Great Cannon represents a significant escalation in state-level information control,” the researchers said in their report. It is, they said, “the normalisation of widespread and public use of an attack tool to enforce censorship.”
The researchers, who have previously done extensive research into government surveillance tools, found that while the infrastructure and code for the attacks bear similarities to the Great Firewall, the attacks came from a separate device.
The device has the ability not only to snoop on internet traffic but also to alter the traffic and direct it – on a giant scale – to any website, in what is called a “man in the middle attack”.
China’s new internet weapon, the report says, is similar to one developed and used by the National Security Agency and its British counterpart, GCHQ, a system outlined in classified documents leaked by Edward J. Snowden, the former U.S. intelligence contractor.
The US system, according to the documents, which were published by The Intercept, can deploy a system of programs that can intercept web traffic on a mass scale and redirect it to a site of their choosing. The NSA and its partners appear to use the programs for targeted surveillance, whereas China appears to use the Great Cannon for an aggressive form of censorship.
The similarities of the programs may put US officials on awkward footing, the researchers argue in their report. “This precedent will make it difficult for Western governments to credibly complain about others utilising similar techniques,” they write.
Still, the Chinese program illustrates how far officials in Beijing are willing to go to censor internet content they deem hostile. “This is just one part of President Xi Jinping’s push to gain tighter control over the internet and remove any challenges to the party,” said James A. Lewis, a cybersecurity expert at the Center for Strategic Studies in Washington.
Beijing continues to increase its censorship efforts under its State Internet Information Office, an office created under Xi to gain tighter control over the Internet within the country and to clamp down on online activism.
In a series of recent statements, Lu Wei, China’s internet czar, has called on the international community to respect China’s internet policies.
Beijing has recently said that it plans to help Chinese internet companies extend their influence and customer base abroad. At a meeting of the National People’s Congress in China last month, Premier Li Keqiang announced a new “Internet Plus” action plan to “encourage the healthy development of e-commerce, industrial networks and Internet banking and to guide internet-based companies to increase their presence in the international market.”
Yet the latest censorship offensive could become a major problem for Chinese companies looking to expand overseas.
“They know one of their biggest obstacles is the perception that they are tools of the Chinese government,” Lewis said. “This is going to hurt Baidu’s chances of becoming a global competitor.”
China is widely suspected to be behind the recent attacks on Github and internet freedom group Great Fire. Now we have the most concrete evidence that indeed it was, and it looks like it did so using a new weapon to boot.
That’s according to a report from Citizen Lab — an ICT, security and human rights lab based within the Munk School of Global Affairs at the University of Toronto. Citizen Lab looked into these recent attacks and identified ‘Great Cannon’, a tool built to intercept data and redirect it to specific sites, as the attack system responsible for them.
The recent attacks are the first instances of the Great Cannon being deployed, and they are notable for a few reasons. Scale is one of them: Great Fire claimed “millions” of users were compromised for the attack it suffered, which hijacked Baidu and pushed the organization’s Amazon hosting bill to $30,000 per day. It is also persistent: Github said it faced the largest attack in its history, which was ongoing for five days.
The Citizen Lab report surfaced evidence showing commonalities between China’s Great Firewall censorship system and Great Cannon. That’s another indicator that China was behind these malicious attacks — something it denies — but there is also concern that China’s new internet weapon could be used for more specific and targeted attacks.
The Edward Snowden leaks revealed the existence of QUANTUM, an NSA tool that could plant malware on millions of computers. Citizen Lab said that, with slight moderations, China’s Great Cannon could act in a similar way:
A technically simple change in the Great Cannon’s configuration, switching to operating on traffic from a specific IP address rather than to a specific address, would allow its operator to deliver malware to targeted individuals who communicates with any Chinese server not employing cryptographic protections.
The discovery of this tool is another reminder of the importance of secure browsing technology, like HTTPS, since weak security systems can undermine the safety of internet users browsing websites.
Furthermore, with the tool now exposed to the world, what were China’s motives for using it in such a public way? It could be that it was meant as a warning to other sites that challenge its censorship and regime so directly, but, either way, it represents a worrying change in policy from defensively censoring websites in China to proactively bringing them down.