Revealed: China’s Cyberwar ‘Cannon’

Computer security researchers have discovered a new “offensive device” being used by China’s powerful Internet censors that gives them the power to launch attacks on websites and inject malicious viruses on computers around the world.

The device is associated with China’s so-called Great Firewall, which blocks Internet searches in China for information the government deems controversial, such as from Chinese dissidents and government critics. But this new tool, which researchers dubbed the Great Cannon, actually can commandeer an unwitting person’s computer and marshal it into a network of machines used to flood websites with traffic and force them to shut down.

The cannon was used in such a denial-of-service attack on GreatFire.org, which helps Internet users circumvent Chinese censors, researchers at Citizen Lab, with the Munk School of Global Affairs at University of Toronto, and the University of California at Berkeley, said in a report released Friday. The Daily Beast obtained an advance copy of the document.

The Citizen Lab team concluded that it would be “trivial” to convert the Great Cannon from its censorship mission into a powerful system for injecting viruses, spyware, and other malicious code onto any foreign computer that communicates with a website in China, and that’s not protected with encryption.

The device could be used to intercept unencrypted email to or from a target and “undetectably replace” legitimate attachments with malicious payloads, “sabotaging email sent from China to outside destinations,” the report said.

The researchers say the Great Cannon is analogous to the so-called Quantum system, developed by the National Security Agency, which can implant malware on machines around the world for espionage and attacks. Quantum was revealed in documents leaked by former NSA contractor Edward Snowden and helped to show that the NSA runs an extensive, sophisticated, and aggressive operation designed to commandeer or spy on foreign computers. The NSA’s British counterpart reportedly used Quantum to spy on the largest telecommunications provider in Belgium, which is a member of NATO.

“This precedent will make it difficult for Western governments to credibly complain about others utilizing similar techniques,” the researchers said of China’s Great Cannon.

So far, however, the Cannon’s operators—the report doesn’t identify them, but says there is “compelling and reproducible evidence” that they are in the Chinese government—have only used it against sites that help to evade state censorship. The attack on GreatFire.org, which began in March, was widely reported. Researchers speculate that the Cannon’s builders may have wanted to advertise their new weapon to the world.

“Conducting such a widespread attack clearly demonstrates the weaponization of the Chinese Internet to co-­opt computers outside of China,” they said. The Cannon specifically targeted computers going to the website Baidu, the leading Chinese Internet search engine, presumably because it is used by a very large number of people and offered an easy opportunity to compromise many computers. The report also contains a detailed technical explanation of Citizen Lab’s findings and its research methods.

What’s still unclear is why the Great Cannon’s builders chose to use it in the first place. But the decision to employ such a powerful tool may reflect China’s “desire to counter what it perceived as a U.S. hegemony in cyberspace,” the report’s authors say. The NSA has spent untold billions of dollars to conduct surveillance operations around the world, both with the cooperation of technology companies and sometimes behind their backs. And the U.S. military refers to cyberspace as a “domain of warfare.” But the Chinese government recently acknowledged that it, too, has incorporated cyber warfare and spying into its military and intelligence strategy.

The Citizen Lab researchers suggest that China may be reacting to a new strategic environment in cyberspace, where the United States is developing powerful tools of its own that further its interests.

And just as the NSA’s extensive spying has damaged the reputation of American technology companies, the researchers say, the Chinese government could be undermining Baidu, one of the country’s most promising and important new companies. While Beijing’s monitoring of China’s networks is well known, its ability to infect outside computers connecting to services on Baidu is not.

The Great Cannon can target users outside China, the researchers say, including people who click on ads on websites that are hosted on Baidu servers. Like Google, Baidu makes money placing ads on other sites.

Baidu recently reported total revenues of $7.9 billion in fiscal year 2014, a 54 percent increase from the previous year. And it was running a nearly half-a-billion-dollar profit in the fourth quarter of 2014.

“The incorporation of Baidu in this attack speaks to the willingness of Chinese authorities to pursue domestic stability and security aims at the expense of other goals—even economic ones,” the Citizen Lab report says.

In that respect, China could be victim to the same pitfalls as the U.S. government, just as it tries to one-up its rival.