A well-known group of activists that has fought Chinese online censorship for years is publicly accusing China of launching the massive distributed denial of service attacks against the coding website GitHub.
On Monday, as GitHub was still under attack, the Internet activist group GreatFire published a forensic report written by an independent security researcher. The report analyzed evidence left behind by the attack on GitHub, as well as a previous attack against GreatFire, and alleges that China is the culprit.
“We now have proof,” Charlie Smith, a member of GreatFire who goes by a pseudonym to protect himself, told Motherboard. “The Cyberspace Administration of China is behind both of the recent DDoS attacks.”
“The Cyberspace Administration of China is behind both of the recent DDoS attacks.”
The forensic analysis shows that both attacks relied on the same technique: malicious code injected within China’s network, between users and the so-called Great Firewall, where China can tamper with Internet traffic going into or out of the country.
On March 18, GreatFire revealed that its websites hosted on Amazon’s cloud hosting service AWS were being hit by a large and unprecedented DDoS attack that was costing the group as much as $30,000 a day in bandwidth.
At the time, GreatFire refused to point fingers.
The two pages targeted were GreatFire’s GitHub page as well as their New York Times mirror, which effectively “unblocks” the paper’s website, which is normally not accessible in China.
“Hijacking the computers of millions of innocent internet users around the world is particularly striking as it illustrates the utter disregard the Chinese authorities have for international as well as even Chinese internet governance norms,” Smith said.
The group uses GitHub, as well as Amazon’s cloud services, to avoid China’s Internet censorship—an approach they call “collateral freedom.” By hosting content, or apps, on those services, which are encrypted, it makes it impossible for the government to block them without blocking access to the whole site.
These DDoS attacks, experts concluded, were likely an answer to this “collateral freedom” strategy.
For the last two weeks, GreatFire has been collecting evidence of the attack. A security researcher, who wishes to remain anonymous, analyzed the data that had been gathered and concluded that more than 10 million computers all over the world were sending traffic to GreatFire’s Amazon sites.
This, for GreatFire, is the smoking gun, since only the Chinese government, in theory, has the ability to manipulate traffic in that part of the network.
“This is consistent with previous malicious actions and points to the Cyberspace Administration of China (CAC) being directly involved in these attacks,” Smith wrote in a blog post accompanying the report.
Ofer Gayer, a security researcher at Incapsula, a firm that offers anti-DDoS services, seemed to reach the same conclusion—though without explicitly accusing China.
“Given the fact that the attacker was able to inject the malicious code at a very large scale, it would take someone with high-level clearance in Chinese Internet infrastructure to tamper with the data and initiate the attack,” he told Motherboard before GreatFire’s report was published.
Not everyone, however, is so sure.
Jaime Blasco, the director of security firm AlienVault Labs, who reviewed GreatFire’s report for Motherboard, said that there just isn’t enough evidence to prove that the attacker was the Chinese government.
“There’s not enough data to blame the government.”
“There’s not enough data to blame the government,” Blasco told Motherboard. “But it’s either the government, Baidu or Chinese Internet Service Providers who are modifying content.”
“But given how things work in China,” Blasco added, “it’s very likely the pressure comes from the government.”
The Chinese embassy in Washington D.C. did not respond to a request for comment by the time of publication.