China resurrects Great Cannon for DDoS attacks on Hong Kong forum

Two years after the last attacks, the Great Cannon is up and running again.
Written by Catalin Cimpanu, Contributor

After more than two years since it's been used the last time, the Chinese government deployed an infamous DDoS tool named the "Great Cannon" to launch attacks against LIHKG, an online forum where Hong Kong residents are organizing anti-Beijing protests.

The last time the Great Cannon was used was in 2017 when Chinese authorities used it for DDoS attacks against Mingjingnews.com, a New York-based Chinese news site.

Prior to that, the Great Cannon rose to infamy after the Chinese government used it to launch DDoS attacks against GitHub (for hosting tools to aid Chinese users bypass China's national firewall) and GreatFire.org (a portal that exposes internet censorship across the globe).

A 2015 report from Citizen Lab at the University of Toronto's Munk School pointed out that the Great Cannon and China's Great Firewall shared code and were co-located on the same servers, suggesting the tool was developed and operated under the direct supervision of the Chinese government.

According to the report, the Great Cannon worked by intercepting traffic meant for websites hosted inside China and injecting JavaScript code in the responses users received in their browsers.

This malicious JavaScript code executed in users' browsers and secretly accessed a victim's site -- generating gigantic traffic spikes for the victim and its web server.

Image: Citizen Lab

DDoS attacks with the Great Cannon have been rare, mainly because they tend to generate a lot of bad press for the Chinese government.

But in a report published today, AT&T Cybersecurity says the tool has been deployed once again.

This time, the Great Cannon's victim was LIHKG.com, an online platform where the organizers of the Hong Kong 2019 protests have been sharing information about the locations of daily demonstrations. The site is also a place where Hong Kong residents congregate to recant stories of Chinese police abuse and upload video evidence.

AT&T Cybersecurity says the first Great Cannon DDoS attacks targeted LIHKG on August 31, while the last one being recorded on November 27.

AT&T Cybersecurity researcher Chris Doman said the August attacks used JavaScript code that was very similar to the one spotted in the 2017 attacks on Mingjingnews.com.

According to LIHKG, the site received more than 1.5 billion requests per hour during the August attack, compared to the site's previous traffic record that was only a meager 6.5 million requests per hour.

Europol’s top hacking ring takedowns

Editorial standards