Readers may have heard of the “Great Firewall,” the powerful filters that the People’s Republic of China uses to prevent Chinese citizens from accessing the whole Internet.
The Great Firewall monitors traffic entering and exiting China, and then disrupts prohibited content and connections. Imagine an eavesdropper on a party line: when one party says something objectionable, the eavesdropper shouts into the line until everyone hangs up. While very effective, the Firewall is not an offensive weapon.
The device we dubbed the “Great Cannon” is different; it acts as a “man-in-the-middle,” able to not just shout down a conversation but actually able to change content as it passes through the Internet.
Unlike the Great Firewall, whoever designed the Great Cannon created a deliberately offensive tool, designed to selectively replace benign web content with malicious content.
The only known use of the Great Cannon was to further Chinese censorship.
The organization GreatFire seeks to monitor and circumvent Chinese censorship. One technique it’s developed has been dubbed “Collateral Freedom” — hosting content on encrypted services that it believes are “too important to block.”
Denial of service attack
During March and April, when a non-Chinese web surfer visited a page containing unencrypted content served by Chinese search engine Baidu, the Great Cannon would occasionally replace that content with a series of instructions for the web surfer’s browser.
These instructions caused the browser to repeatedly fetch content from “Collateral Freedom” pages, executing a “denial of service” (DOS) attack. It would be like an attacker telling tens of thousands of cellphones to all dial the same number at the same time.
The first round of attacks, between March 16 and March 26, directly targeted GreatFire’s Amazon CloudFront instances in an attempt to either cause Amazon to remove these instances or simply run up GreatFire’s hosting costs. Although this significantly affected GreatFire’s bill, it failed to block the services and GreatFire responded with some technical changes to mitigate the attack.
But GreatFire’s CloudFront domains aren’t memorable, so those in China who wish to discover one need another source. GreatFire uses Github for this, hosting both instructions for evading the Great Firewall and directions on obtaining a copy of the Chinese language New York Times. Previously, China tried blocking GitHub but quickly relented when local developers objected.
So the Great Cannon’s operator switched the target, instructing newly hijacked web browsers to repeatedly contact GitHub. This attack persisted until April 7, although GitHub was able to mitigate this attack after the first few days. Since then, the Great Cannon has gone silent; we have not detected any further attempts to use this device.
While it still ran, we were able to isolate the Cannon’s location, showing that it wasn’t a group of hacker vigilantes but a dedicated tool that shares code and network location with the Great Firewall.
Evidence points to Chinese government
We don’t expect that hackers would have access to the Great Firewall’s source code or be able to install devices in the backbone of the Chinese Internet across multiple Internet providers. Combined with the choice of targets, the Great Cannon is almost certainly a tool of the Chinese government.
Though the Great Cannon has gone silent, the dangerous implications remain. To start with, China seemed willing to explicitly attack a U.S. company, GitHub, in an attempt to suppress online content that the Chinese government finds objectionable.
It would also be a trivial change for the Great Cannon’s operator to turn the Cannon into a direct exploitation tool, targeting web servers directly. Instead of replacing content with the instructions to execute a DOS attack, the replaced content instead could exploit the target’s browser to take over the target’s computer.
Combined with some target awareness and a minor change to the Cannon itself, the Chinese could use this to hack any web browser — if the Chinese can identify their target’s IP address and the target happens to fetch unencrypted content hosted from within China.
The Great Cannon was also a direct attack on Baidu. For everyone outside of China, any page containing an unencrypted Baidu service, even something as innocuous as an advertisement, now may be a vehicle for a Chinese government attack.
And although the Cannon primarily replaced content served by Baidu, it can just as easily target any other Chinese service. Anyone concerned with the possibility of Chinese government hacking now needs to consider the entire Chinese Internet as explicitly hostile. How can Chinese Internet companies hope to compete?
China has company
Although China’s use of the Great Cannon to censor content is objectionable, if China instead chooses to use this to directly exploit computers, they would have company.
According to recent revelations, the NSA in the United States and the GCHQ in the United Kingdom have developed and deployed an attack using similar techniques that they have used against Belgacom, Belgium’s primary telecommunications provider.
The Internet is now a hostile place.
If an adversary sees your unencrypted traffic, it is not just a data leak but an attack vector they can use to exploit your computer. Encryption isn’t just a matter of privacy but a necessity for self-defense.