Researchers uncovered the Great Cannon, a powerful hacking tool, used by the Chinese Government to run MITM attacks, that was used also against GitHub.

The researchers from the University of California at Berkeley and the University of Toronto have uncovered a powerful weapon of the Chinese Government cyber arsenal, dubbed the Great Cannon, used to hit websites with powerful DDoS attacks. The Great Cannon has been used by Chinese authorities to knock-out two anti-censorship GitHub pages and it can be also used as a hacking tool to silently install malware on the targeted machine.

“We show that, while the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the “Great Cannon.”  The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.” states a report published by the team of researchers.

The traffic that hit the pages of anti-censorship service GreatFire.org and a mirror site of the New York Times Chinese edition appeared as originating from unaware individuals that visited websites that use analytics software developed by Chinese search engine Baidu.

The attackers used the Great Cannon to manipulate about one or two percent of the connections from people outside China by injecting a malicious JavaScript code into their traffic that caused their machines to repeatedly load the targeted GitHub pages.

“The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users,” continues the report.”Specifically, the Cannon manipulates the traffic of ‘bystander’ systems outside China, silently programming their browsers to create a massive DDoS attack.”

The experts revealed that the Great Cannon is the Chinese equivalent for the NSA’s QUANTUM platform, which is able to infect any PC worldwide that visits China-based website not fully utilizing HTTPS.

g1

The Great Cannon appears as a distinct entity respect the Great Firewall, it is an “in-path” barrier between two networks implemented into the Chinese backbone to perform man-in-the-middle attacks, meanwhile the Great Firewall is an “on-path” system that sits off to the side for the purposes of eavesdropping on traffic passing between China and the rest of the world.

“On-pathsystems have architectural advantages for censorship, but are less flexible and stealthy than in-path systems as attack tools, because while they can inject additional packets, they cannot prevent in-flight packets (packets that have already been sent) from reaching their destination. Thus, one generally can identify the presence of an on-path system by observing anomalies resulting from the presence of both injected and legitimate traffic.”

g2

How to protect websites from the Great Cannon?

The experts explained that encrypted HTTPS connections could make ineffective the powerful tool, because they could not me modified by attackers attempting to run MITM attacks.

Unfortunately, websites that mix encrypted traffic with unencrypted traffic from third-party sites could be hacked by manipulating the traffic of one of the third parties.

Pierluigi Paganini