Evidence links China to GitHub cyber-attack

1 Apr 2015 | Author: | No comments yet »

China Accused of ‘Weaponizing’ Global Internet Users.

HONG KONG — The Chinese government has long used a sophisticated set of Internet filters known as the Great Firewall as a barrier to prevent its citizens from obtaining access to foreign websites with information it deems threatening. Internet activists on Tuesday accused Chinese authorities of carrying out or enabling massive cyberattacks on the GreatFire.org anti-censorship website and coding site GitHub, saying Beijing had “weaponized” innocent Internet users around the world to target sites offering ways around its Great Firewall. “Based on the technical forensic evidence provided above and the detailed research that has been done on the GitHub attack, we can now confidently conclude that the Cyberspace Administration of China (CAC) is responsible for both of these attacks,” GreatFire.org said in an article on its website on Tuesday.The massive denial-of-service attacks that have intermittently shut down GitHub for more than five days is the work of hackers with control over China’s Internet backbone, according to two technical reports published Tuesday that build a strong case that government authorities are at least indirectly responsible. The attacks appear to hijack advertising and analytics traffic intended for Baidu, China’s largest search company, and then send that traffic to smaller websites in what is known as a distributed denial of service or DDoS attack.

As previously reported, the two GitHub pages are constantly loaded and reloaded by millions of computer users inside and outside of China, an endless loop that left unmitigated outages not just on the two targeted pages but throughout GitHub’s entire network. Exhibit A in the case in which China is involved are the two specific GitHub pages targeted: one hosts anti-censorship service GreatFire.org while the other hosts a mirror site of The New York Times’ Chinese edition. The aggressive new strategy shows vividly how Beijing is struggling to balance its desire to control the flow of information online with the aim of encouraging the growth of its tech sector. Though those attacks do not appear to be connected to the hacks which involved British Airways, the workplace team chat site Slack or the person-to-person taxi service Uber.

Slack established that hackers were able to access information in their user database, although not encrypted passwords, it believes, over a four-day duration in February, while objections about stolen frequent-flier points from British Airway’s Executive Club members began emerging two weeks ago. Specifically, the computers hammering GitHub servers are all running a piece of malicious code that surreptitiously makes them soldiers in a massive DDoS army. Because GitHub is fully encrypted, China’s domestic Web filters cannot distinguish between pages that host code useful to programmers and code that circumvents censorship. The JavaScript gets silently injected into the traffic of sites that use an analytics service that China-based search engine Baidu makes available so website operators can track visitor statistics.

Patrick Nielsen, senior security researcher at Kaspersky Lab said, “As far as I know, there are no links between these hacks, and some (GitHub) are DDoS attacks while others (like Slack) are proper breaches. In 2013, when the government fully blocked GitHub, it caused an outcry among China’s many computer engineers, leading to the site’s subsequent unblocking. Researchers at Sweden-based Netresec analyzed the technical fingerprints of the malicious JavaScript and found they are different from the remainder of the non-malicious traffic received by the one percent of computers conscripted into the DDoS army. There are some theories that actors in China are behind the DDoS attack on GitHub because GitHub hosts anti-censorship tools, but early attribution, and indeed attribution in general, is very difficult no matter what kind of attack we’re talking about.” According to an IT professional survey by Kaspersky Lab and B2B International, 94 percent of organizations worldwide has encountered at least one cyber security breach over the past 12 months. 12 percent of those reports were the victims of at least one under attack, up from the 9 percent reported by Kaspersky in 2012 and 2013. For instance, the time to live limits placed on how long packets should be accepted by end-user computers are vastly different for the malicious content—from 30 to 229 seconds compared with 42 seconds for legitimate analytics code.

In a number of recent public appearances, China’s Internet czar Lu Wei, has called for respect for China’s Internet sovereignty, meaning that China should have the right to manage the Internet within its borders as it wants. Mr James Andrew Lewis, a senior fellow at the Centre for Strategic and International Studies, said the attack was an attempt to deal with extraterritoriality on the Internet. “China is trying to redefine the rules of the Internet and they’re feeling their way forward as they do it,” he said. “This is one of another set of actions to say China will have a bigger voice in how the Internet works.” It shows that the TTL of a legitimate SYN+ACK packet is 42 seconds, while three packets with a malicious payload have TTL values of 227, 228, and 229 seconds. The results suggest that the SYN+ACK packets are coming from the actual Baidu server, while the packets carrying the malicious payload are injected somewhere else: Researchers from GreatFire have issued their own report that also lays out evidence the attacks could not have been carried out without the cooperation of Chinese authorities.

In one quick movement, the authorities have shifted from enforcing strict censorship in China to enforcing Chinese censorship on internet users worldwide. CAC can launch these attacks quickly and easily and they have the technical and financial resources behind them to continue to launch DDoS attacks against any website, anywhere in the world. The SEC has already asked Weibo to explain how the censorship apparatus works – Baidu, a publicly-listed company in the US, may be called in to do the same. It’s hard to imagine how malicious code could be inserted into so many different China-based websites for five days straight without a government authority actively participating, or at least looking the other way, while it happened.

Here you can write a commentary on the recording "Evidence links China to GitHub cyber-attack".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts


ICQ: 423360519

About this site