This story is over 5 years old.


China Says Hackers Hijacked Its Internet Traffic, But Experts Don't Buy It

The glitch that sent users to a polish travel site was probably caused by the country’s censors.
Image: Fredrik Rubensson/Flickr

Last week, millions of internet users in China started getting redirected to a Polish couple's travel blog when visiting several websites that contained Facebook "like" buttons.

Experts quickly pointed out that this was likely yet another glitch in the Great Firewall of China, the country's infamous and powerful censorship system. But days later, on Friday, the Chinese government has pointed the finger at unidentified foreign hackers.


"It was a rather strange case because the hackers were directly targeting the telecom carriers' servers. It has rarely happened before," said an anonymous senior staff member of the country's National Computer Network Emergency Response Technical Team Coordination Center, according to China Daily.

The incident, according to the official, was caused by malware that "contaminated" the servers of China's internet service providers. The official also added that "it will be difficult to trace the source of the attack because it is technically possible to carry it out by remotely controlling the servers."

But internet security experts are not buying China's vague explanation.

Nicholas Weaver, a researcher at the International Computer Science Institute and UC Berkeley, was skeptical, and said that it's not the first time the government tries to blame "Great-Firewall related outages on mysterious hackers."

Last year, in fact, Chinese censors inadvertently blocked most Chinese internet users from accessing the internet in the course of trying to block the anti-censorship group GreatFire, causing one of the largest outages in China's history. The government, however, blamed a "malfunction" and warned of hackers exploiting it.

The most plausible explanation is that it was a glitch caused by Chinese censors.

Last week's redirection was done by intercepting traffic using a technique called Domain Name System (DNS) spoofing, with which traffic going to a certain domain is redirected to another. This is a common way for Chinese censors to block websites, according to experts, and it's unclear what the mysterious hackers would've had to gain redirecting traffic in this case.

Bill Marczak, who along with Weaver was one of the authors of a recent paper uncovering China's latest cyberweapon, the Great Cannon, a tool that is capable of hijacking internet connections and targeting users with malware, told Motherboard that China's explanation is technically plausible, but "it's hard to see why attackers would have wanted to hijack DNS entries in this manner."

In other words, why would mysterious hackers want to redirect users to a Polish travel blog and a software site when they could have done something much more nefarious?

"The Great Firewall normally uses DNS spoofing to block or intercept the internet connections of its citizens," a security researcher who has lived in China and requested anonymity to speak freely told Motherboard. "The most plausible explanation" he added, is that it was a glitch caused by Chinese censors.

The Chinese Embassy in Washington, DC did not answer Motherboard's request for comment.