The early stages of the attack started in early March, and Google’s researchers said that seemed to be a test as the attackers figured out the techniques they were going to use. There was only one target at that time, from March 3 to March 6, and the attackers then moved on.
“The initial test target was 126.96.36.199:56789 and the number of requests was artificially limited. From March 4rd to March 6th, the request limitations were removed,” Niels Provos from Google’s security team said in a blog post.
“The next phase was conducted between March 10th and 13th and targeted the following IP address at first: 188.8.131.52. Passive DNS places hosts under the sinajs.cn domain at this IP address. On March 13th, the attack was extended to include d1gztyvw1gvkdq.cloudfront.net. At first, requests were made over HTTP and then upgraded to to use HTTPS. On March 14th, the attack started for real and targeted d3rkfw22xppori.cloudfront.net both via HTTP as well as HTTPS. Attacks against this specific host were carried out until March 17th.”
The next day, the attackers, who are widely believed to be affiliated with the Chinese government, added several more hosts to the target list, all of them hosted by Amazon’s CloudFront service. The attackers changed tactics during this phase of the operation.
It wasn’t until March 26 that the attackers actually began targeting two separate resources on GitHub, one of which housed content from GreatFire.org, a censorship monitoring organization in China. The other resource was Chinese language content from the New York Times. The attack on those resources lasted until April 7 and Provos said that the attack wouldn’t have been possible if all of the Web’s links were encrypted.
“Had the entire web already moved to encrypted traffic via TLS, such an injection attack would not have been possible. This provides further motivation for transitioning the web to encrypted and integrity-protected communication,” Provos said.