Cyberattack Shows That China Isn’t Content to Censor Its Own Internet

A staff member works on a laptop at the Baidu headquarters in Beijing on Dec. 17, 2014.  

Photo by Greg Baker/AFP/Getty Images

The Chinese government has increased its Internet censorship and propaganda recently, cracking down on wife-swapping and one-night-stand stories and releasing a digital collection of the president’s collected sayings, dubbed “Xi’s Little Red App.” Around the same time, San Francisco–based GitHub was hit with a five-day denial-of-service attack that slowed computer programmers’ work across the world. The timing doesn’t seem to be a coincidence.

If you haven’t heard of GitHub, you’ve at least used software developed on it and distributed by it. It’s the world’s largest code platform, a social network for computer programmers to collaborate. In addition to hosting free, open-source libraries, GitHub is home to private codebases whose users have paid a fee. The site began experiencing a massive distributed denial of service attack on March 26 and didn’t declare things back to normal until March 31.

This may seem like just another nerd war, but it has important implications: The attack may be an effort to enforce the Great Firewall—which blocks much of Google, the international news media, and whatever other websites Chinese officials feel threatened by—even on platforms outside of China’s borders.

According to Google Trends, over the past year there’s been more interest in GitHub from China than from any other country. Among GitHub’s many code repositories are two pages that people in China use to read the news and access the full, uncensored Internet. One provides a mirror version of the Chinese-language New York Times, which is blocked in China. The other, created by anti-censorship activist group, shows links to proxy servers that get around the Great Firewall.

Because GitHub uses HTTPS, the secured version of HTTP, China’s censors cannot selectively block individual pages of GitHub. They can only block the whole domain, and they did so for several days in 2013. Whether because of the economic costs or outcry from the tech sector, officials changed their minds and unblocked it. Now it appears that Chinese officials want to GitHub to take down the New York Times mirror and the page.

The attack could have been carried out only by someone with control and access to the backbone of the Chinese Internet. As GreatFire’s forensic report shows, the attack conscripted the computers of unsuspecting Chinese-speaking people around the world who visited sites running Baidu Analytics, a Web statistics tracking tool. In between Web requests and responses to Baidu, a malicious actor injected a script that commanded each computer to repeatedly reload the two GitHub pages at two-second intervals. It’s hard to gauge how many computers were infected.

Could Baidu have stopped the attack by shutting down their analytics scripts? Probably not. For one, Baidu’s government relations are more important that its public relations. Even beyond the obvious political constraints, there are technical limitations. The third-party websites using those Baidu tracking scripts would still be pointing browsers at them. “Even if Baidu literally removed the scripts and returned 404s,” says Matt Bentz, a programmer who has taught cybersecurity at NYU Polytechnic School of Engineering, “it wouldn’t help. Because the attack injects itself as the response instead of the 404.” (A 404 code is a “page not found” error message indicating a broken link.)

GitHub devised a clever reaction—to respond to these repeated requests with an alert, “WARNING: malicious javascript detected on this domain.” Users would have to click on the alert before their infected browser could automatically reload the GitHub page. It also warned users that their computers were infected. This was one of many tactics to deflect massive incoming traffic. But the attack evolved, expanding to another major Internet company, Sina. Over the course of five days, many developers noticed intermittent outages.

“We definitely noticed the outages,” says Sam Williams, an iOS developer at Wink, one of GitHub’s paying customers. “We weren’t prevented from working, though—everyone on my team at least had enough to do on their local branches. I think there was about one day where we weren’t able to review and merge pull requests, which was annoying but fortunately not critical at that time.”

Still, the attack forced GitHub to take a stand—to decide between uninterrupted service for paying customers and basic freedom of information for all users. It’s a choice forced upon every media and Internet company operating in China. Bloomberg and Google famously took two different paths. What’s different here is that GitHub doesn’t even do business in China, but was still expected to self-censor.

Since the late 1990s, the Chinese government has been implicated in hacking with targets ranging from the Tibetan exile government to military contractors to weather satellites, for cyber espionage and monitoring of dissidents. GitHub declined to provide a representative’s response for this story, instead pointing me to status charts that showed little disruption in services. On March 31, GitHub tweeted “Everything operating normally.” The next day, Obama declared cybersecurity a national emergency.

It sounds like GitHub has backup. But if not, as a Sina Weibo microblogger going by the handle XhidamariSketchX suggested a few days after the fact, they could use a technique inspired by martial arts to deflect the force and momentum back to the attacker, by redirecting the traffic to the Chinese central government Web portal: “GitHub could redirect DdoS to by sending http 301 response.” A 301 code means “this page has moved.” OK, that wouldn’t work in the real world, but it would be a magical thing if it did.