China's 'Great Cannon': Taking censorship across country borders

China's ruling party is ramping up the censorship battle with a powerful new weapon which hijacks traffic outside of the country.
Written by Charlie Osborne, Contributing Writer

China has developed a new censorship weapon to accompany its Great Firewall in order to silence not only its citizens -- but critics around the globe.

According to a report released Friday by Citizen Lab, the 'Great Cannon' was first used against GitHub and Greatfire.org servers, both incidents of which were high-profile DDoS attacks designed to deny access to materials criticizing China's regime, censorship tools and copies of websites banned in the country.

Researchers from the University of California, Berkeley, University of Toronto's Citizen LabCitizen Lab, the International Computer Science Institute (ICSI) and Princeton University suggest in the paper that these attacks were orchestrated by China's censorship barricade. However, while the attacks -- which used malicious Javascript to redirect Baidu connections to overwhelm the servers with traffic intended for China's largest search engine -- originated from the Great Firewall of China, the team say that the attack was carried out by an entirely separate tool.

This system, dubbed China's 'Great Cannon,' is reportedly a "distinct attack tool" with different capabilities to the Great Firewall. Rather than acting as an extension of the wall, Citizen Labs says the tool can "hijack traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle (MITM)."

"The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users. Specifically, the Cannon manipulates the traffic of "bystander" systems outside China, silently programming their browsers to create a massive DDoS attack," the researchers say.

The Great Firewall of China is an on-path system which monitors traffic between China and other countries. If requests for banned content are received -- such as access to Google, Facebook and Twitter -- the system terminates the request. However, the researchers say the Great Cannon works differently. The Great Cannon is in in-path system which is capable of both injecting and suppressing traffic.

In the attacks on GitHub and Greatfire.org, the new tool intercepted traffic sent to Baidu servers which hosted analytics, social and advertising scripts. If the Great Cannon saw requests for particular Javascript files, it could take two actions: pass the request on to Baidu servers or drop the request and instead send a malicious script back. The report states:

"In this case, the requesting user is an individual outside China browsing a website making use of a Baidu infrastructure server (e.g., a website with ads served by Baidu's ad network). The malicious script enlisted the requesting user as an unwitting participant in the DDoS attack against GreatFire.org and GitHub."

The idea that China's cybercapabilities may allow it to divert traffic from surfers outside of the country for its own ends is concerning. Furthermore, the researchers also say the tool only acts on a small percentage of the traffic it has the capabilities to manipulate, and the Great Cannon's functionality likely spans beyond such uses.

According to the team, a few simple tweaks in the Great Cannon's configuration -- switching to operating on traffic from a specific IP address rather than to a specific address -- would allow malware payloads to be delivered to targeted users who are communicating with Chinese servers without cryptographic protections set in place.

In addition, as the tool works as an MITM, it could also intercept unencrypted email and replace legitimate content with malicious code, manipulating email sent from China to other countries. The researchers say:

"The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users."

The Great Cannon is similar in many ways to the use of QUANTUM by the US National Security Agency (NSA) and UK's GCHQ intelligence agency. The weapon used by these agencies, revealed in documents leaked by Edward Snowden, can deploy programs which intercept vast networks of traffic in order to redirect these streams to locations of their choosing.

The researchers conclude:

"We remain puzzled as to why the GC's operator chose to first employ its capabilities in such a publicly visible fashion. Conducting such a widespread attack clearly demonstrates the weaponization of the Chinese Internet to co-opt arbitrary computers across the web and outside of China to achieve China's policy ends.
The repurposing of the devices of unwitting users in foreign jurisdictions for covert attacks in the interests of one country's national priorities is a dangerous precedent - contrary to international norms and in violation of widespread domestic laws prohibiting the unauthorized use of computing and networked systems."

Read on: In the world of security

Editorial standards