BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

China Fires ‘Great Cannon’ Cyber-Weapon At The Hong Kong Pro-Democracy Movement

Following
This article is more than 4 years old.

The Great Cannon of China doesn't get fired very often, but when it does the consequences for whoever it is aimed at can be hard-hitting. Operating from behind the Great Firewall of China and used sparingly as the negative press it generates is substantial, this cannon doesn't launch physical projectiles but cyber ones. It's a state-operated, distributed denial of service (DDoS) cyber-weapon, and now it has taken aim at an online forum used by pro-democracy movement protesters in Hong Kong to help coordinate their anti-government demonstrations.

What is the Great Cannon of China?

While not as well-known as the Low Orbit Ion Cannon (LOIC), a DDoS tool put to very effective use by the Anonymous hacking group when attacking websites supporting the Church of Scientology and later those opposed to WikiLeaks, the Great Cannon has the potential to be a much more significant threat. It works by hijacking web traffic from users within the boundaries of the government-controlled Great Firewall of China and redirecting that traffic to websites external to it. This is achieved by "injecting" malicious JavaScript code into the insecure HTTP connections of sites visited by Chinese users. This interception allows the operators of the cyber-weapon to target a chosen web resource with a DDoS attack.

What is a DDoS attack?

A Distributed Denial of Service attack is when a threat actor sends more access requests, of various technical flavors, to a web server than it can handle. The more of these superficially "genuine" requests that are sent simultaneously, the harder it is for the website to function normally. The bigger the attack, the slower the targeted site becomes in dealing with ordinary users trying to connect, ultimately resulting in the site going offline. Some of the biggest and best-known websites have been taken offline by such attacks. Perhaps most notoriously of late when Wikipedia, the seventh most popular site on the planet, was the victim of a massive DDoS attack.

In the case of the LIHKG forum attack, it would appear that malicious JavaScript files are being served from URLs that would typically provide analytics tracking scripts. The Great Cannon of China has been swapping a number of these script requests, on the fly, with ones containing malicious code.

The Great Cannon of China takes aim at Hong Kong protesters

According to a report from Chris Doman, a security researcher at AT&T Alien Labs, the Great Cannon of China started the current attack on November 25. This follows an initial attack on August 31 when the LIHKG forum, the Hong Kong equivalent to Reddit. The forum was targeted as it has been used by members of the Hong Kong pro-democracy protest movement to coordinate demonstrations.

An official statement from LIHKG regarding the DDos attack on August 31, stated that the total number of server requests that day exceeded 1.5 billion. "The enormous amount of network requests have caused internet congestion and overload on the server which has occasionally affected the access to LIHKG. The website data and members' information are unaffected," the statement confirmed.

"The Great Cannon is currently attempting to take the website LIHKG offline," Doman said in the "Great Cannon Has Been Deployed Again" report.

Doman said that it's not likely to succeed in this instance, partly as the LIHKG has robust anti-DDoS mitigation in place and "partly due to some bugs in the malicious JavaScript code that we won’t discuss here." Which doesn't make it any the less disturbing, given that it shows the Great Cannon has not been forgotten about.

Indeed, while it has been reported that the attack tool had not been used for two years before the LIHKG attack, Doman said that an attack against a Chinese-language news site has been ongoing during the last year. These attacks started in August 2017, using significantly updated code from the most notorious previous DDoS attack targeting the Github website in 2015.

That Doman identified bugs in the current attack code, which is mostly the same as the 2017 instance, is a saving grace. For now. If China decides to dust down the big cyber-guns for more active duty in the future, I think it's safe to say that the code will be sharpened up, making it harder to defend against. Not forgetting that any firing of such a geopolitical cyber-weapon brings with it the potential danger of collateral damage to your business.

Follow me on Twitter or LinkedInCheck out my website or some of my other work here