Initial security reports suggested that China had crippled the services by exploiting its own Internet filter — known as the Great Firewall — to redirect overwhelming amounts of traffic to its targets. Now, researchers at the University of California, Berkeley, and the University of Toronto say China did not use the Great Firewall after all, but rather a powerful new weapon that they are calling the Great Cannon.
The Great Cannon, the researchers said in a report published Friday, allows China to intercept foreign web traffic as it flows to Chinese websites, inject malicious code and repurpose the traffic as Beijing sees fit.
The system was used, they said, to intercept web and advertising traffic intended for Baidu — China’s biggest search engine company — and fire it at GitHub, a popular site for programmers, and GreatFire.org, a nonprofit that runs mirror images of sites that are blocked inside China. The attacks against the services continued on Thursday, the researchers said, even though both sites appeared to be operating normally.
But the researchers suggested that the system could have more powerful capabilities. With a few tweaks, the Great Cannon could be used to spy on anyone who happens to fetch content hosted on a Chinese computer, even by visiting a non-Chinese website that contains Chinese advertising content.
“The operational deployment of the Great Cannon represents a significant escalation in state-level information control,” the researchers said in their report. It is, they said, “the normalization of widespread and public use of an attack tool to enforce censorship.”
The researchers, who have previously done extensive research into government surveillance tools, found that while the infrastructure and code for the attacks bear similarities to the Great Firewall, the attacks came from a separate device. The device has the ability not only to snoop on Internet traffic but also to alter the traffic and direct it — on a giant scale — to any website, in what is called a “man in the middle attack.”
China’s new Internet weapon, the report says, is similar to one developed and used by the National Security Agency and its British counterpart, GCHQ, a system outlined in classified documents leaked by Edward J. Snowden, the former United States intelligence contractor. The American system, according to the documents, which were published by The Intercept, can deploy a system of programs that can intercept web traffic on a mass scale and redirect it to a site of their choosing. The N.S.A. and its partners appear to use the programs for targeted surveillance, whereas China appears to use the Great Cannon for an aggressive form of censorship.
The similarities of the programs may put American officials on awkward footing, the researchers argue in their report. “This precedent will make it difficult for Western governments to credibly complain about others utilizing similar techniques,” they write.
Continue reading the main story
Still, the Chinese program illustrates how far officials in Beijing are willing to go to censor Internet content they deem hostile. “This is just one part of President Xi Jinping’s push to gain tighter control over the Internet and remove any challenges to the party,” said James A. Lewis, a cybersecurity expert at the Center for Strategic Studies in Washington.
Beijing continues to increase its censorship efforts under its State Internet Information Office, an office created under Mr. Xi to gain tighter control over the Internet within the country and to clamp down on online activism. In a series of recent statements, Lu Wei, China’s Internet czar, has called on the international community to respect China’s Internet policies.
Sarah McKune, a senior legal adviser at the Citizen Lab at the Munk School of Global Affairs at the University of Toronto and a co-author of the report, said, “The position of the Chinese government is that efforts to serve what it views as hostile content inside China’s borders is a hostile and provocative act that is a threat to its regime stability and ultimately its national security.”
The attacks also show the extent to which Beijing is willing to sacrifice other national goals, even economic ones, in the name of censorship. Baidu is China’s most visited site, receiving an estimated 5.2 million unique visitors from the United States in the past 30 days, according to Alexa, a web ranking service.
Kaiser Kuo, a Baidu spokesman, said that Baidu was not complicit in the attacks and that its own networks had not been breached. But by sweeping up Baidu’s would-be visitors in its attacks, researchers and foreign policy experts say, Beijing could harm the company’s reputation and market share overseas.
Beijing has recently said that it plans to help Chinese Internet companies extend their influence and customer base abroad. At a meeting of the National People’s Congress in China last month, Premier Li Keqiang announced a new “Internet Plus” action plan to “encourage the healthy development of e-commerce, industrial networks and Internet banking and to guide Internet-based companies to increase their presence in the international market.”
Yet the latest censorship offensive could become a major problem for Chinese companies looking to expand overseas. “They know one of their biggest obstacles is the perception that they are tools of the Chinese government,” Mr. Lewis said. “This is going to hurt Baidu’s chances of becoming a global competitor.”
Researchers say they were able to trace the Great Cannon to the same physical Internet link as China’s Great Firewall and found similarities in the source code of the two initiatives, suggesting that the same authority that operates the Great Firewall is also behind the new cyberweapon.
“Because both the Great Cannon and Great Firewall are operating on the same physical link, we believe they are both being run under the same authority,” said Bill Marczak, a co-author of the report who is a computer science graduate student at the University of California, Berkeley, and a research fellow at Citizen Lab.
Mr. Marczak said researchers’ fear is that the state could use its new weapon to attack Internet users, particularly dissidents, without their knowledge. If they make a single request to a server inside China or even visit a non-Chinese website that contains an ad from a Chinese server, the Great Cannon could infect their web communications and those of everyone they communicate with and spy on them.
Ultimately, researchers say, the only way for Internet users and companies to protect themselves will be to encrypt their Internet traffic so that it cannot be intercepted and diverted as it travels to its intended target.
“Put bluntly,” the researchers said, “unprotected traffic is not just an opportunity for espionage but a potential attack vector.”