Chinese authorities compromise millions in cyberattacks

On March 17th 2015, our websites and partner websites came under a DDoS attack. We had never been subjected to an attack of this magnitude before. This attack was unusual in nature as we discovered that the Chinese authorities were steering millions of unsuspecting internet users worldwide to launch the attack. We believe this is a major cyber-security and economic threat for the people of China.

After calling on the Internet community for help and assistance, independent researchers with access to our log files discovered the following facts:

• Millions of global internet users, visiting thousands of websites hosted inside and outside China, were randomly receiving malicious code which was used to launch cyberattacks against GreatFire.org’s websites.

• Baidu's Analytics code (h.js) was one of the files replaced by malicious code which triggered the attacks. Baidu Analytics, akin to Google Analytics, is used by thousands of websites. Any visitor to any website using Baidu Analytics or other Baidu resources would have been exposed to the malicious code. A list of Baidu resources known to be used for the attack appears in the report.

• That malicious code is sent to “any reader globally” without distinguishing that user’s geographical location, meaning that the authorities did not just launch this attack using Chinese internet users -  they compromised internet users and websites everywhere in the world.

• The tampering takes places someplace between when the traffic enters China and when it hits Baidu’s servers. This is consistent with previous malicious actions and points to the Cyberspace Administration of China (CAC) being directly involved in these attacks.

More technical details of the attack can be read in a research report titled “Using Baidu to steer millions of computers to launch denial of service attacks”.

GitHub Suffers DDoS Attack

On March 25 the Chinese authorities used the same techniques to launch a DDoS attack on GitHub - our page was one of the main targets. To mitigate the DDoS attack, we mirrored content on our GitHub repository and asked users to access that page directly. The attackers then switched their attack to our GitHub page.

GitHub stated:

We are currently experiencing the largest DDoS (distributed denial of service) attack in github.com's history. The attack began around 2AM UTC on Thursday, March 26, and involves a wide combination of attack vectors. These include every vector we've seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic. Based on reports we've received, we believe the intent of this attack is to convince us to remove a specific class of content.

We believe that “a specific class of content” refers to GreatFire.org’s GitHub page. To combat the DDoS attack from malicious JS code injected by CAC, GitHub modified https://github.com/greatfire/ to show a message to users: "WARNING: malicious javascript detected on this domain".

The URL to access our GitHub page ( https://github.com/greatfire/) is hard coded into the malicious JS. Our page is still accessible and only users who have been exposed to the malicious code will see the warning pop up message while browsing other websites. The GitHub attack is still ongoing and the malicious JS is still being injected for approximately 1% of foreign visitors to websites that are using elements from Baidu.

The Implications

When we first blogged about this attack we did not want to level accusations without evidence. Based on the technical forensic evidence provided above and the detailed research that has been done on the GitHub attack, we can now confidently conclude that the Cyberspace Administration of China (CAC) is responsible for both of these attacks.

Hijacking the computers of millions of innocent internet users around the world is particularly striking as it illustrates the utter disregard the Chinese authorities have for international as well as even Chinese internet governance norms. There was no way for an average internet user to prevent themselves from being exploited as part of this attack. This statement from Lu Wei, the head of the Cyberspace Administration of China, encapsulates our thoughts and concerns about these attacks:

We should establish an Internet order that helps maintain security. The Internet is a worldwide platform for sharing information. It is “a community of common interests”. No country is immune to such global challenges as cybercrime, hacking and invasion of privacy. In cyberspace, it is becoming increasingly difficult to uphold security for one’s own country by sacrificing that of others. It is also not practical to pursue one’s own interests by rejecting others’ needs. China is also a victim of hacking. We have always firmly opposed all forms of Internet attacks.

Inserting malicious code in this manner can only be done via the Chinese Internet backbone. Even if CAC did not launch the DDoS attack directly, they are responsible for managing the internet in China and it is not possible that they did not know what was happening. These attacks have occurred under CAC’s watch and would have needed the approval of Lu Wei.

Lu Wei and the Cyberspace Administration of China have clearly escalated the tactics that they use to control information. The Great Firewall has switched from being a passive, inbound filter to being an active and aggressive outbound one. This is a frightening development and the implications of this action extend beyond control of information on the internet. In one quick movement, the authorities have shifted from enforcing strict censorship in China to enforcing Chinese censorship on internet users worldwide. CAC can launch these attacks quickly and easily and they have the technical and financial resources behind them to continue to launch DDoS attacks against any website, anywhere in the world.

These attacks also illustrate the shortsighted nature of the Chinese authorities. Weaponizing Chinese internet services stifles global confidence in Chinese entrepreneurs and contributes to the fragmentation of the global internet. The SEC has already asked Weibo to explain how the censorship apparatus works - Baidu, a publicly-listed company in the US, may be called in to do the same.   

We correctly predicted last year that China would increase their use of MITM attacks in an effort to censor encrypted websites. We now sadly predict that the DDoS attacks against us and GitHub are likely to signal a ramping up of attacks against foreign internet properties. These kinds of attacks should draw scorn and criticism from government officials of all countries around the world.

It is important to note that throughout this attack, our Android FreeBrowser app has not been impacted and is still helping thousands of Chinese internet users to bypass censorship and the great firewall every day.

On behalf of the millions of unsuspecting users manipulated by these actions, we call on Lu Wei and the Cyberspace Administration of China (CAC) to bring an end to these DDoS attacks immediately and to apologise for their blatantly disrespectful and dangerous actions.

Further Information

After the attacks started, many overseas Chinese saw these warning messages and started to post screenshots on social media.

One person uploaded a video to YouTube showing what happens when a user is injected with malicious JS in the GitHub DDoS attack. You can also see GitHub’s mitigation efforts in this video.

There are fascinating details about the attack on GitHub and changes made by the Cyberspace Administration of China to maintain the attack.

An earlier report about an unrelated GFW upgrade stated that “Every machine in China has the potential be a part of a massive DDOS attack on innocent sites,” and “They have weaponized their entire population.” That was too optimistic. Now CAC has weaponized the entire Internet population.