The recent exposure of ‘Great Cannon’, China’s cyber weapon is seen as a direct threat to the world. Having heard about it, what are its capabilities & how do they work? Let’s find out…
China being a censorship based country does not allow any information which is of anti-government or against communist ideologies to be passed to its citizens. We all have known how China regulates the Internet through its internal information filtering system known as the ‘Great Wall of China’. But now, things have changed – according to a report Chinese have moved beyond its good-old cyber weapon ‘Great Wall of China’ which is used for censoring information on Internet (to regulate its own citizens) to using a latest cyber-weapon which the researchers have named as ‘the Great Cannon’. The researchers say that the new cyber-weapon is intended to censure Internet information outside China and can be used globally.
On the morning of April 10th, 2015, news reports surfaced that China had acquired a cyber weapon known as Great Cannon. According to initial reports published, the Great Cannon enables China to intercept global web traffic (as the information traverse to Chinese websites), inject malicious code and redirects the Internet traffic as Chinese prefer to attack.
As I was wondering, I am sure that all of you would be wondering why the Chinese have named its most powerful cyber-weapon as ‘Great Cannon’? So what does it mean? In the hackers community, more commonly known as a Low Orbit Ion Cannon (LOIC or WebLOIC), an Internet cannon is a type of computer program used to force traffic overloads (or denial-of-service) onto targeted websites. It uses the Internet to blast out cyberattacks. So obviously, it’s not related to military cannon in any way!
First Use of Weapon
Towards the end of March 2015, the Chinese used the Great Cannon for the first time as a counter-attack weapon against companies who offer tools to help users evade Chinese censorship. China attacked anti-censorship websites GreatFire and GitHub, a San Francisco-based web service that is popular with programmers by sending crippling amounts of web traffic and the attacks attempted to knock offline these anti-censorship websites. Bill Marczak, one of the authors of the report by the Citizen Lab at the University of Toronto’s Munk School of Global Affairs said “This is very much an escalation,”. While the Chinese are notoriously are known for using their internal censoring cyber-weapon to block users within the country from accessing news stories or other information it considers inappropriate, the recent attack took place outside China in the western country and effectively blocked a wide range of content for web users around the world.
According to an earlier report from the non-profit, and later to GitHub, China took control of millions of Web browsers and used them to send a flood of traffic to GreatFire.org, a nonprofit that runs mirror images of sites that are blocked inside China. According to the Citizen Lab, the Chinese used Distributed Denial of Service (DDoS) attack represents only a small fraction of the possible uses of this tool. The researchers said that Chinese used the Great Cannon to intercept web and advertising traffic intended for Baidu which is China’s biggest search engine company and fire it at GitHub. The researchers said that the attacks against anti-censorship sites GreatFire and GitHub continued till the first week of April, even though both the websites were working normally.
The Great Cannon has other capabilities like it could also be used to deliver malicious code to any computer system or network visiting a website based in China that does not use encryption to protect the privacy of its users. Researchers added that the Great Cannon has several other capabilities like — with a few tweaks, the Great Cannon could be used to spy on anyone who happens to fetch content hosted on a Chinese computer, even by visiting a non-Chinese website that contains Chinese advertising content. The researchers said in their report “The operational deployment of the Great Cannon represents a significant escalation in state-level information control,”. The researchers added “the normalization of widespread and public use of an attack tool to enforce censorship.”.
The researchers, who have previously done extensive research on government based surveillance tools, discovered that while the infrastructure and code for the attacks are similarities to the Great Firewall, the attacks came from a separate device. The device has the ability not only to snoop on Internet traffic but also to alter the traffic and direct it — on a giant scale — to any website, using the method of ‘man in the middle attack’
One of the research authors on Great Cannon, McKune added the Great Cannon’s ability to insert malicious code into Web traffic is similar to the capabilities of a National Security Agency program known as Quantum, which was disclosed by former government contractor Edward Snowden. The United States N.S.A. and its allies use cyber-weapons for targeted surveillance, whereas China appears to use the Great Cannon for an aggressive form of censorship.
Marczak said researchers’ fear that the Chinese state could use Great Cannon to attack Internet users, mainly dissidents, without their knowledge. If they make a single request to a server inside China or even visit a non-Chinese website that contains an online advertisement from a Chinese server, the Great Cannon could infect their web communications and those of everyone they communicate with and spy on them.
The earlier analysis of the recent attacks suggested they originated from the Great Firewall but the Citizen Lab says the Great Cannon is a separate offensive device, although with several resemblances with the Great Firewall. The researchers said that the Great Cannon works by altering un-encrypted traffic as it crosses borders with China.
According to the researchers, the Great Cannon is placed in the same facility where Great Firewall is located in China and it also shares some source code with the latter. Researchers say they were able to trace the Great Cannon to the same physical Internet link as China’s Great Firewall suggesting that the same authority that operates the Great Firewall is also behind the new weapon.
Bill Marczak, a co-author of the report who is a computer science graduate student at the University of California, Berkeley and a research fellow at Citizen Lab said “Because both the Great Cannon and Great Firewall are operating on the same physical link, we believe they are both being run under the same authority,”.
The researchers revealed that the effect of the attack could be detected across different Chinese Internet service providers, suggesting government involvement in the attack.
McKune said that some questions remain about which parts of the government were aware of or involved in the Great Cannon’s development and use. He said “There’s no other reasonable explanation for the technical findings here than that this was an attack launched by the Chinese government,”.
According to the Citizen Lab researchers, the most effective way to defuse the Great Cannon is to encrypt more Internet traffic. Nicholas Weaver, another report author said “We are now in a world where any unencrypted traffic seen by an adversary is not just an information leak, but a weakness they can exploit,”. He added that the only defense is using universal encryption.
Researchers say that ultimately the only way for online users and companies to protect themselves is to encrypt their Internet traffic so that it cannot be intercepted and diverted as it travels to its intended target. “Put bluntly,” the researchers said, “unprotected traffic is not just an opportunity for espionage but a potential attack vector.”.
Chinese Domestic & Foreign Policy
Under the rule of President Xi Jinping who wants to see domestic stability, China has become more aggressive in attempting to block information that is anti-China and does not want its citizens to know. On this senior fellow at Center for Strategic and International Studies, James A. Lewis said “Getting control over the Internet and information is a big priority for the Chinese – they’re going after things they used to tolerate, and you’re seeing a general clampdown,”. Sarah McKune, one of the author of the Chinese cyber attacks said that the recent attacks against GreatFire and GitHub appear to show that the country is willing to put ideological control over other goals such as the economic success of its tech sector, which could be damaged by censorship efforts.
On the recent attacks, State Department spokesman Alec Gerlach on behalf of the U.S. government has expressed concern and said “Malicious cyber actors who target critical infrastructure, U.S. companies, and U.S. consumers are a threat to the national security and the economy of the United States, and we are particularly concerned about activity that is intended to restrict the ability of users around the world to access information,”. On U.S. position on China, he said that U.S. officials have asked China to investigate the incidents “In this case, the attackers appeared to have leveraged Internet infrastructure located in China to overwhelm Web sites in the United States,”.
When asked about the Citizen Lab report or the attacks on GreatFire and GitHub, the Chinese Embassy did not directly respond to questions. The Chinese Embassy spokesman Zhu Haiquan said in a statement that China supports the development of “Internet news communications” and “at the same time guarantees the citizens’ freedom of speech,”. Haiquan said “China firmly opposes and combats any form of cyberattack in accordance with law,”. He added “We hope that instead of making accusations without solid evidence, all relevant parties can take a more constructive attitude and work together to address cyberissues.”.
McKune said that the revelations about U.S. government surveillance programs in recent years may have also given China more confidence about acting aggressively in cyberspace. The researchers argue in their report that the similarities of cyber-weapons of Chinese programs with that of Americans may put U.S. officials on awkward footing. “This precedent will make it difficult for Western governments to credibly complain about others utilizing similar techniques,” they write.
The Chinese program illustrates how far officials in Beijing are willing to go to censor Internet content they deem hostile. James A. Lewis, a security expert at the Center for Strategic Studies in Washington said “this is just one part of President Xi Jinping’s push to gain tighter control over the Internet and remove any challenges to the party,”.
Beijing continues to increase its censorship efforts under its State Internet Information Office, an office created under Mr. Xi to gain tighter control over the Internet within the country and to clamp down on online activism. Lu Wei, China’s Internet czar, in a series of recent statements has called on the international community to respect China’s Internet policies.
Sarah McKune, a senior legal adviser at the Citizen Lab at the Munk School of Global Affairs at the University of Toronto and a co-author of the report, said, “The position of the Chinese government is that efforts to serve what it views as hostile content inside China’s borders is a hostile and provocative act that is a threat to its regime stability and ultimately its national security.”.
A Brief Conclusion
China has expanded its Internet censorship efforts beyond its borders with a new strategy that attacks websites across the globe. The reports of new weapon of China is not new given the fact that such cyber-weapons have already existed in several countries and also used to snoop its citizens (as in US, UK and other countries). But what is worrisome is the fact that ultimately, it is the citizens of the countries which has to bear the result of such anti-state cyber-weapon. In the case of China, the people’s security and privacy is at stake until there is a global regulation of such cyber-weapons.
The author is a Senior Editor at Bitstream Mediaworks.
He has an active interest in IT Security.