An unknown party hijacked widely used tools developed by Baidu, the largest search engine in China, this week in an apparent attempt to target online software used to get around Chinese censorship.
The assailants injected malicious code into the tools Baidu uses to serve ads on a wide range of Chinese Web sites and to provide analytics for Web developers, according to researchers. The code instructed the browsers of visitors to those sites to rapidly connect to other sites, but in a way that the visitors couldn't detect. That sent a flood of traffic to two anti-censorship tools offered by the group GreatFire hosted on GitHub, a popular site used by programmers to collaborate on software development. One of the tools targeted by the attack effectively allows Chinese users to access a translated version of the New York Times.
At times the attack made GitHub, which is used by programmers around the world and the U.S. government itself, unavailable for some users.
GitHub was briefly blocked inside China in 2013, but reinstated after an outcry from programmers. Because GitHub uses encryption to hide specific parts of the site, the Chinese government cannot selectively block only some of GitHub's content. But blocking the site wholesale could be damaging to China's economy because it is so widely used by the tech industry.
GreatFire reported its own site was the subject of a similar traffic flooding attack earlier this month.
While determining the entities behind these types of attacks is difficult, the Chinese government would be an obvious culprit, said James A. Lewis, a senior fellow at the Center for Strategic and International Studies. "The only people who would really benefit from it would be China," he said. Using such a bold tactic to attack content it dislikes seems to be either a way for the government to send a message or test out new capabilities, he said.
"The last couple months we've seen a real sea change in Chinese Internet policy, where they've become more assertive about blocking Western sites and pushing back on their citizen's ability to access information from outside of the country," Lewis said. Earlier this year, many virtual private network (VPN) services relied on by Chinese citizens to evade censorship became inaccessible within the country.
Baidu -- which is basically China's Google -- denied involvement in the incident. "After a thorough investigation, Baidu security engineers have ruled out either security issues with Baidu products or a hacking attack on Baidu as possibilities," the company told The Washington Post in a statement. "We have been in touch with other security organizations to apprise them of the situation, and we will work together on getting to the bottom of related issues."
GreatFire did not immediately respond to a Washington Post inquiry about the attacks. Nor did the Chinese government. GitHub acknowledged it was the victim of a "continuous" attack for more than 24 hours in a Tweet posted late Thursday night. The latest update on the GitHub's status page says the service is "intermittently unavailable for some users" due to the attack.
The attack's structure was clever. The malicious code that caused the flood of traffic to GitHub came only from browsers outside of China that visited Web sites using Baidu's tools. That also points to China as the culprit, security experts said. Its own Web users were not affected. So the Great Firewall -- which enables the government to filter all Web traffic within its borders -- becomes an obvious point at which China could have inserted the malicious code.
"People outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech," according to a blog post from a researcher at Insight Labs. Visitors to the targeted GitHub pages currently see this message:
It's actually a little bit of code that sends a pop-up alert in browsers used as part of the attack.