China's 'Great Cannon': Taking censorship across country borders

Summary:China's ruling party is ramping up the censorship battle with a powerful new weapon which hijacks traffic outside of the country.

China has developed a new censorship weapon to accompany its Great Firewall in order to silence not only its citizens -- but critics around the globe.

According to a report released Friday by Citizen Lab, the 'Great Cannon' was first used against GitHub and Greatfire.org servers, both incidents of which were high-profile DDoS attacks designed to deny access to materials criticizing China's regime, censorship tools and copies of websites banned in the country.

Researchers from the University of California, Berkeley, University of Toronto's Citizen LabCitizen Lab, the International Computer Science Institute (ICSI) and Princeton University suggest in the paper that these attacks were orchestrated by China's censorship barricade. However, while the attacks -- which used malicious Javascript to redirect Baidu connections to overwhelm the servers with traffic intended for China's largest search engine -- originated from the Great Firewall of China, the team say that the attack was carried out by an entirely separate tool.

This system, dubbed China's 'Great Cannon,' is reportedly a "distinct attack tool" with different capabilities to the Great Firewall. Rather than acting as an extension of the wall, Citizen Labs says the tool can "hijack traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle (MITM)."

"The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users. Specifically, the Cannon manipulates the traffic of "bystander" systems outside China, silently programming their browsers to create a massive DDoS attack," the researchers say.

The Great Firewall of China is an on-path system which monitors traffic between China and other countries. If requests for banned content are received -- such as access to Google, Facebook and Twitter -- the system terminates the request. However, the researchers say the Great Cannon works differently. The Great Cannon is in in-path system which is capable of both injecting and suppressing traffic.

In the attacks on GitHub and Greatfire.org, the new tool intercepted traffic sent to Baidu servers which hosted analytics, social and advertising scripts. If the Great Cannon saw requests for particular Javascript files, it could take two actions: pass the request on to Baidu servers or drop the request and instead send a malicious script back. The report states:

The idea that China's cybercapabilities may allow it to divert traffic from surfers outside of the country for its own ends is concerning. Furthermore, the researchers also say the tool only acts on a small percentage of the traffic it has the capabilities to manipulate, and the Great Cannon's functionality likely spans beyond such uses.

According to the team, a few simple tweaks in the Great Cannon's configuration -- switching to operating on traffic from a specific IP address rather than to a specific address -- would allow malware payloads to be delivered to targeted users who are communicating with Chinese servers without cryptographic protections set in place.

Read the rest here:
China's 'Great Cannon': Taking censorship across country borders