GreatFire.org is a website dedicated to monitoring the Great Firewall (GFW), China’s sophisticated and wide-ranging (if imperfect) censorship system, and it has unsurprisingly been a target for attacks by China before.
In late March, popular code repository website GitHub suffered a two week Distributed Denial of Service (DDoS) attack which flooded the website with bad internet traffic, resulting in slow access and occasional bouts of downtime. As the two primary targets of this attack were the GitHub pages for GreatFire.org and CN-NYTimes (a Chinese language edition of The New York Times), suspicion immediately fell on the Chinese government.
The Citizen Lab has now published a report that confirms China as the culprit, and adds a new term into the lexicon of cyberwarfare – the ‘Great Cannon.’ According the report, this ‘Great Cannon’ is a type of network injection attack where the Chinese government tampered with the analytics script used by Chinese internet search giant Baidu.
When someone normally visits a website running the Baidu script (pretty much every website in China), analytics data is sent back to Baidu, but with the tampered script it was sent to GitHub instead, swamping it in traffic generated by unwitting regular Chinese internet surfers.
Even more worrying than the attack itself, the script can be tweaked to target specific individuals, intercepting their communications the second they connect to ‘any Chinese server not employing cryptographic protections.’
‘While the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the ‘Great Cannon. The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.’
Although it cannot be proved that the Chinese government is responsible, it is unlikely that an attack with such a ’highly visible impact’ on a US company could have been performed without the its blessing,
‘It is likely that this attack, with its potential for political backlash, would require the approval of high-level authorities within the Chinese government.’
It was generally presumed that China had this attack capability (thanks to Mr Edward Snowden we know that the United States has it), but observers have expressed surprise t not only at China’s showing a willingness to use it in practice, but that by continuing the attack for so long, it actually appeared to be advertising the capability. This has led the researchers to speculate that the attack ‘may also reflect a desire to counter what the Chinese government perceives as US hegemony in cyberspace.’
How Baidu will react to its analytics scripts being hijacked in this way remains to be seen, but it is unlikely to be happy as its business could be damaged as website become wary of using its code (or that of other Chinese web companies).
This form of man-in-the-middle (MiTM) attack should not be possible when connecting to an SSL/TLS secured (https://) website, but such connections are only as secure as the CA certificate that verifies them. If just one Certificate Authority goes rogue (or is pressured by its government) and issues fake certificates, then just about every browser will accept these certificates (thereby compromising the secure connection).
It was only a couple of weeks ago that Google was forced to issue a warning about fake SSL certificates issued by Chinese CA CNNIC (which are still accepted by many browsers)…