China is greatly disturbed by the ongoing pro-democracy, anti-Beijing protests in Hong Kong and has been targeting all the digital forums protestors are using to organize protests. One of the favored tactics of the Chinese government is of launching a distributed denial-of-service attack (DDoS attacks).
In September this year, HackRead reported that LIHKG, an online forum used by the activists behind Hong Kong protests suffered a series of DDoS attacks and forced it to go offline for several hours. Now, it has been revealed that it was the Chinese government that used its old and infamous DDoS tool called the Great Cannon to target LIHKG.
China used the Great Cannon back in 2017 and it has resurfaced after a gap of two years. Previously, China targeted the New York-based Chinese news service, Mingjinnews.com with the same tool.
According to a report from AT&T Cybersecurity, the attack involving the Great Cannon was launched on August 31 and continued its activities until November 25. Using this tool, the attackers manage to successfully consumer the targeted website’s resources by bombarding it with web traffic.
This tool is believed to be an extension of the Great Firewall of China. Insecure HTTP connections are infected with malicious JavaScript code to launch web traffic in such a large proportion. When Chinese users visit malicious URLs, their own HTTP connection gets infected and becomes part of the army of websites that are later used to launch DDoS attacks.
In a distributed denial-of-service attack (DDoS attack) the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source.
Citizen Lab explains that the Great Cannon is more than an extension of the Great Firewall because it is an independent tool that can hijack web traffic from individual IP addresses and “arbitrarily replace unencrypted content as a man-in-the-middle.”
Great Cannon and Great Firewall comparison (Image: CitizenLab)
Chris Doman from the Alien Vault business of AT&T Cybersecurity revealed that the LIHKG website is primarily used by protestors for sharing information and planning protests across the SAR region (Special Administrative Region) of China.
The DDoS tool, on the other hand, intercepts the web traffic from Chinese websites and injects malicious codes to force users’ devices to make a large number of web requests against the website that is being targeted as well as other sites and memes appearing on the forum.
“It is unlikely these sites will be seriously impacted. Partly due to LIHKG sitting behind an anti-DDoS service, and partly due to some bugs in the malicious JavaScript code that we won’t discuss here. Still, it is disturbing to see an attack tool with the potential power of the Great Cannon used more regularly, and again causing collateral damage to US-based services,” stated Doman.
