FacebookTwitterLinkedIn

Great Cannon Resurrected

Karolis Liucveikis Written by on

After a two year hiatus the botnet, named Great Cannon, has been resurrected back to life to carry our DDoS attacks. A distributed denial of service (DDoS) attack is a malicious attempt to disrupt the traffic heading to a server, network, or website by flooding the infrastructure with traffic. This is done by utilizing compromised machines, referred to as sometimes as bots, to continually send requests to the target. Another method used to carry out the attacks is to intercept other legitimate traffic and then redirecting that traffic towards the victim. This works by essentially causing a traffic jam as the server cannot deal with all the requests and cannot deal with legitimate traffic denying users the service offered.

Great Cannon was last seen in 2017 when Chinese authorities used it for DDoS attacks against Mingjingnews.com, a New York-based Chinese news site. Now the DDoS botnet is been used to launch attacks against LIHKG, an online forum where Hong Kong residents are organizing anti-Beijing protests. Great Cannon made a name for itself when it was used to attack GitHub and GreatFire.org. GitHub was targeted for hosting tools to aid Chinese users to bypass China's national firewall, while GreatFire.org was targeted because it exposes internet censorship across the globe.

A report published by AT&T Cybersecurity reveals how the DDoS tool is again operational and targeting the Hong Kong-based forum. According to researchers, the attacks began in August with the latest attack occurring in November. Great Cannon works by injecting malicious JavaScript into pages served from behind the Great Firewall, which is a collection of technologies used to regulate the Internet within China which blocks or slows down access to foreign websites. These scripts hijack the users’ connections which are then used to make multiple requests against the targeted site.

great ddos cannon resurrected

These requests consume all the resources of the targeted site, making it unavailable for users to access. Researchers noted that the code used was very similar to the 2017 attacks on Mingjingnews.com.

According to LIHKG during the August attack, the online forum received 1.5 billion requests per hour compared to the previous site traffic record of 6.5 million requests per hour. As to how successful the attacks were researchers concluded that,

“It is unlikely these sites will be seriously impacted. Partly due to LIHKG sitting behind an anti-DDoS service, and partly due to some bugs in the malicious JavaScript code that we won’t discuss here. Still, it is disturbing to see an attack tool with the potential power of the Great Cannon used more regularly, and again causing collateral damage to US-based services.”

A Nationalised DDoS Tool

We know Great Cannon was developed and used by Chinese authorities due to the investigative work done by Citizen Lab. In the report released by Citizen Lab and the University of Toronto is was shown that the attack infrastructure is co-located with the Great Firewall and the attack was carried out by a separate offensive system, with different far different capabilities to the Great Firewall. At the time the report was published, researchers and academics feared that,

“The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users. Specifically, the Cannon manipulates the traffic of “bystander” systems outside China, silently programming their browsers to create a massive DDoS attack. While employed for a highly visible attack in this case, the Great Cannon clearly has the capability for use in a manner similar to the NSA’s QUANTUM system, affording China the opportunity to deliver exploits targeting any foreign computer that communicates with any China-based website not fully utilizing HTTPS.”

In concluding the report it was argued that Grand Cannon set a dangerous precedent in that it weaponized average, non-malicious, users within the country’s borders to carry out attacks on the internet and foreign organizations to further national policies. This flies in the face of accepted norms and is in violation of widespread domestic laws prohibiting the unauthorized use of computing and networked systems. Chinese authorities are not the only ones who have blurred the line between responsible government and respecting its citizenship. The United States’ NSA and the United Kingdom’s GCHQ have both exploited unencrypted to either control information or perform an attack.

The friction between the Chinese government and pro-democracy protesters in Hong Kong is well documented with news reports at one stage coming out daily with regards to further developments. One could question why the attack by Chinese authorities is so brazen, conventional wisdom would dictate that such attacks be done stealthily as possible. However, both the GitHub, GreatFire.org, and Mingjingnews.com attacks were done just as brazenly with little effort in trying to mask who was responsible. It is clear that China is willing to use cyberweapons at its disposal to further government policies. This has been shown time and time again. It is also clear that such weapons will be used against the dissenting opinion of the one the government presents as what it believes is right. This is done regardless of international norms and borders. It is a display of power in as much as it is an abuse of power inflicted on China’s citizens and seemingly without their consent.

Back in 2015, the Citizen Lab report stressed the urgency of revising and replacing legacy web protocols like HTTP with far more secure and cryptographically strong versions, like HTTPS. It’s been four years since the advice was handed out to anyone who would listen. Today, it still looks as if much of the advice went unheeded.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog