The 'Great Cannon' Is China's Powerful New Hacking Weapon
The attack on GitHub revealed a new sophisticated hacking tool that could be used against anyone on the Internet.
Image: AK Rockefeller/Flickr
The relentless days-long cyberattack on GitHub showed that someone was willing to use hundreds of thousands of innocent internet users to try to take down two single pages set up by an organization fighting Chinese censorship.
A group of cybersleuths has discovered that someone is indeed China, as everyone suspected. More importantly, they've also learned that the attack was carried out with a powerful new cyberweapon, whose existence was previously unknown.
Researchers at the Citizen Lab—a digital watchdog at the University of Toronto's Munk School of Global Affairs—are calling it the "Great Cannon." It's a tool essentially capable of monitoring internet traffic and targeting anyone its operators decide to hit, sending back malware or spyware, or using the target to flood another site with traffic.
"The operational deployment of the Great Cannon," read a Citizen Lab report, published on Friday, "represents a significant escalation in state-level information control: the normalization of widespread and public use of an attack tool to enforce censorship."
The Great Cannon was used to hijack and redirect the internet traffic to flood two GitHub pages, in an unprecedented distributed denial of service, or DDoS, attack. The influx of traffic overwhelmed the site's servers, turning hundreds of thousands of users into unbeknownst conduits and taking down two pages hosted on GitHub by GreatFire, a group that monitors Chinese censorship and uses the site to circumvent it.
The Great Cannon can be used to hack practically anyone who visits a non-encrypted website or ad hosted in China.
The Great Cannon is capable of hijacking connections going through China's internet infrastructure for the purpose of mounting this kind of DDoS attacks in the service of censorship. But in theory, it could just as easily be used to hack practically anyone who visits a non-encrypted website hosted in China, or even a website hosted elsewhere that's containing an ad hosted in China, according to the report.
In other words, it's a full-fledged man in the middle device, similar in capabilities to an NSA's system known as QUANTUM, according to Nicholas Weaver, a researcher at the International Computer Science Institute and UC Berkeley. With QUANTUM, which was revealed by documents leaked by Edward Snowden, the NSA can automatically and covertly infect computers with malware implants served through unencrypted sites.
"The QUANTUM insert attacks were not mass injections of traffic openly into the the browsers of thousands of users around the world. This is," Collin Anderson, an independent security researcher who studies censorship and surveillance, told Motherboard. "It was so flagrant, it was so open, there was no attempt to really conceal it."
Citizen Lab researchers, based on a network analysis they conducted in the last couple of weeks, believe the Great Cannon is separate from the country's censorship system known as the Great Firewall of China. But the tool is located in the same network space and infrastructure as the firewall, and is similar in how its coded, which proves that China is behind it, the researchers said.
"It was so flagrant, it was so open, there was no attempt to really conceal it."
Asked about the conclusions of the Citizen Lab report, a spokesperson for the Chinese embassy in Washington DC said that China "opposes and combats any form of cyberattack in accordance with law."
"We hope that instead of making accusations without solid evidence, all relevant parties can take a more constructive attitude and work together to address cyberissues," the spokesperson said in an email to Motherboard. The spokesperson, however, declined to provide any other comments when we asked whether he could confirm that China had nothing to do with the attack on GitHub.
To date, China has yet to directly deny its involvement in the attack. When asked during a press conference at the end of March, a spokesperson for China's Foreign Ministry simply said that "it is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it."
The discovery of this new tool shows that China is just as capable of sophisticated cyberattacks as the NSA, according to experts. It's also evidence that China is willing to defend its "cyber sovereignty" outside of its own online confines, Adam Segal, an expert on cybersecurity and China at the Council on Foreign Relations, told Motherboard.
The researchers at Citizen Lab reached the same conclusion, writing that this "demonstrates the weaponization of the Chinese Internet to co-opt computers outside of China as part of an attack targeted on non-Chinese systems."
The attack on GitHub "demonstrates the weaponization of the Chinese Internet."
It also highlights how governments around the world "are both able and willing to use this kind of attack to compromise individuals' digital security, which may impact human rights such as privacy and freedom of expression," according to Sarah McKune, the Senior Legal Advisor at Citizen Lab, who also co-wrote the report.
The biggest mysteries that remain are whether the Great Cannon was used before, and why China decided to showcase it in such an open way, given that it could have probably achieved similar results using other tools against GitHub and GreatFire, the anti-censorship group that was targeted in the DDoS attack.
"I would've assumed that China would've had this sort of capability, but I would've also assumed that they wouldn't want to broadcast this the world," Weaver said.
Perhaps that was intentional. Knowing that it would be caught using the Great Cannon so overtly, maybe China wanted to showcase its new sophisticated tool, Anderson said.
What the Great Cannon's attack on GitHub also proves, according to the researchers, is that anything on the internet that is unencrypted, meaning hosted on an non-HTTPS website—even cat videos— can be used to mount a cyberattack.
Widespread use of HTTPS encryption would make these attacks harder to pull off, which is why a growing number of security experts are encouraging websites to switch to the standard.
"Encryption stops these attacks," Weaver said. "We need to encrypt everything all the time."