Anatomy of a Breach

Anatomy of a Breach: GitHub and China's Great Cannon — When a Nation Weaponised Its Own Internet Users

> series: anatomy_of_a_breach —— part: 076 —— target: github —— weapon: great_cannon —— purpose: censorship_enforcement<span class="cursor-blink">_</span>_

Hedgehog Security 30 April 2015 12 min read
ddos github china great-cannon great-firewall censorship nation-state series
Breach #076

China turned millions of its own internet users into an unwitting DDoS weapon.

In late March 2015, GitHub was hit by the largest DDoS attack in its history — a sustained assault lasting five days that specifically targeted two repositories: GreatFire (a project monitoring Chinese internet censorship) and cn-nytimes (a Chinese-language mirror of the New York Times). The attack was sophisticated: rather than using a traditional botnet, it weaponised the web browsers of millions of unsuspecting internet users — primarily outside China — by intercepting and modifying their web traffic as it passed through Chinese internet infrastructure.

Researchers at the University of Toronto's Citizen Lab identified the weapon: the 'Great Cannon', a previously unknown offensive tool built alongside China's Great Firewall. When users anywhere in the world visited Chinese websites that loaded resources from Baidu (China's largest search engine), the Great Cannon intercepted the traffic and injected malicious JavaScript that redirected the user's browser to flood the targeted GitHub pages with requests. Millions of legitimate web users became the DDoS weapon — without their knowledge or consent.

How The Great Cannon Worked
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Weaponising legitimate traffic at internet scale.

Traffic Interception at National Scale
The Great Cannon operated at the level of China's internet backbone — intercepting traffic flowing into and out of the country. Any web request that crossed the Chinese border and involved resources hosted on Chinese servers could be intercepted, modified, and weaponised. This is state-level capability that no private organisation can replicate or defend against alone.
JavaScript Injection
The Great Cannon injected malicious JavaScript into HTTP responses, replacing legitimate Baidu analytics scripts with code that directed the user's browser to repeatedly request the targeted GitHub pages. The injected code ran silently — the user saw no indication that their browser was participating in an attack. Our <a href="/penetration-testing/web-application">web application testing</a> includes assessment of content injection vulnerabilities.
Millions of Unwitting Participants
Because Baidu's analytics and advertising scripts are embedded on millions of websites, any user worldwide visiting a site with Baidu resources could have their traffic weaponised. The Great Cannon turned legitimate web browsing into an attack vector — a concept that challenges fundamental assumptions about internet trust.
HTTPS Would Have Prevented Injection
The Great Cannon could only inject code into unencrypted HTTP traffic. HTTPS connections, which encrypt the content between browser and server, would have prevented the injection. The attack accelerated the adoption of HTTPS everywhere — a transition that <a href="/cyber-essentials">Cyber Essentials</a> mandates and our <a href="/penetration-testing/web-application">web application testing</a> verifies.
Implications

When nation-states weaponise the internet itself.

The Great Cannon represented a qualitative escalation in nation-state cyber capabilities. Previous attacks — Aurora, Stuxnet, Shamoon — targeted specific organisations. The Great Cannon weaponised the internet infrastructure itself, turning millions of innocent users into an attack tool. For organisations that host content, provide services, or simply depend on internet availability, the Great Cannon demonstrated that nation-state adversaries can marshal resources beyond the capacity of any private organisation to absorb.

For UK organisations, the defensive implications include DDoS mitigation planning, HTTPS deployment to prevent traffic injection, and the recognition that internet availability is a threat surface. Our infrastructure testing assesses DDoS resilience. Cyber Essentials mandates HTTPS. SOC in a Box monitors for DDoS attack precursors. And UK Cyber Defence provides incident response during active attacks.

DDoS Resilience

China weaponised millions of users to attack GitHub. Could your services survive the same?

Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses DDoS resilience. <a href="/cyber-essentials">Cyber Essentials</a> mandates HTTPS. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for attack indicators.

Assess Your DDoS Resilience Next: US OPM
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 July 2025

Anatomy of a Breach: Microsoft SharePoint — Zero-Day Exploited by Three Chinese Groups, 400+ Organisations Compromised Including NNSA

Breach #199. In July 2025, it was revealed that a zero-day vulnerability in Microsoft SharePoint had been exploited by three Chinese state-linked hacking groups to compromise over 400 organisations worldwide — including the US National Nuclear Security Administration (NNSA), the federal agency responsible for maintaining the US nuclear weapons stockpile. The vulnerability enabled remote code execution against self-hosted SharePoint servers. Thousands of vulnerable servers remained online even after the vulnerability was disclosed. The breach demonstrated the extraordinary risk of centralising sensitive data in a single collaboration platform — especially when that platform is targeted by nation-state adversaries.

microsoft-sharepoint zero-day
14 min read
Anatomy of a Breach 31 August 2011

Anatomy of a Breach: Operation Shady RAT — Five Years of State-Sponsored Espionage Against 72 Organisations

Breach #032. In August 2011, McAfee published research revealing 'Operation Shady RAT' — a five-year campaign of state-sponsored cyber espionage that had compromised 72 organisations across 14 countries, including the United Nations, the International Olympic Committee, defence contractors, and government agencies. The campaign, attributed to China, had operated undetected since 2006. The report demonstrated that the Aurora and Stuxnet-era threats were not isolated incidents but symptoms of a sustained, global espionage campaign.

apt operation-shady-rat
12 min read
Anatomy of a Breach 31 January 2010

Anatomy of a Breach: Operation Aurora — When China Hacked Google

Breach #013 in our Anatomy of a Breach series. In January 2010, Google disclosed that it had been the victim of a sophisticated cyberattack originating from China. Operation Aurora — named after a file path in the malware — targeted 34 companies including Adobe, Yahoo, Symantec, and Northrop Grumman, using an Internet Explorer zero-day to steal intellectual property and access the Gmail accounts of Chinese human rights activists. The attack that proved nation-state cyber espionage was no longer just a military concern.

data-breach operation-aurora
14 min read
All Posts Get in Touch