For me the most interesting thig about this incident is how the GFW is being used offensively. Most other governments so far have protested online censorship from a kind of moral standpoint, but not from a security standpoint per se. Now it's quite clear the GFW is being leveraged offensively - did anyone spot this capability previously?
It's an identical setup to the NSA QUANTUM infrastructure, just in China instead of scattered around the western internet system. So I guess it's probably been used offensively in a more targeted approach for a while.
The actual detail/technology, more or less. There's nothing China did this last couple of weeks that the Five Eyes' QUANTUM setups aren't already tooled to do: QUANTUMINSERT can be used to inject the JavaScript, just change the selectors and the payload. Indeed, I believe this capability has already been privately trialled by GCHQ. (QUANTUMSLAMMER, was it?)
It is not advanced technology: TCP just has no protection here. Anyone capable of in-path packet surveillance and in-/by-path packet injection on a significant link can pull off this exact same attack. You could co-opt a router to do it: GCHQ have.
We're going to need pervasive (authenticated) encryption to defeat it.
I believe this is precisely the method GCHQ used to compromise Belgacom, for the purposes of spying on the EU. They used QUANTUMINSERT to inject an exploit payload into connections from belgacom employees to LinkedIn and slashdot.
Although in those, they targeted using pretty close selectors and the payload was browser exploits with a very advanced dropper from what is essentially a big, supported modern malware construction kit. GCHQ used the same technique, but leveraged it to do a very different - and actually far more intrusive and destructive - thing.
This, by contrast, is a widely-targeted, fairly dumb DoS payload - but of course, not every DDoS has to be smart! Scale does all the work, and dropping malware, albeit relatively benign malware, en masse like this yields a lot of scale. This is particularly bad when there are potentially more personnel adapting it to evade defenses than there are personnel trying to defend against it: bravo to the GitHub security team!
I had to do that for a website I ran a while ago. It's unfortunate but at the end of the day blocking China means that the rest of the world can continue to use your services legitimately.
