Cyber Incident Victim: GitHub
Date:
Aug 2015
Location:
China
Summary
GitHub experienced a distributed denial-of-service attack causing connectivity disruptions, with services restored approximately three and a half hours after initial detection. The platform had previously faced a similar large-scale DDoS incident involving malicious JavaScript that hijacked global traffic to overwhelm its systems, linked to servers in China and aimed at coercing content removal. While the current attack's scale and origin remain unspecified, it echoed historical tactics used against anti-censorship entities, though no direct attribution or motive was confirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 2015, GitHub experienced a distributed denial-of-service attack lasting nearly a week, representing the largest such incident in its history at the time. The attack originated from servers based in China and employed an unconventional method involving malicious JavaScript code rather than traditional DDoS tools. Attackers compromised Baidu Analytics scripts (h.js), which were embedded in thousands of websites globally, redirecting unsuspecting visitors' traffic to GitHub's infrastructure. This technique affected millions of internet users who visited any website utilizing Baidu's services, effectively turning their browsers into attack vectors. GitHub systems engineer Jesse Newland confirmed the attackers' objective was to pressure the platform into removing a specific category of content, though the exact nature wasn't disclosed. The attack shared technical and operational similarities with contemporaneous assaults on GreatFire.org, an anti-censorship organization monitoring Chinese internet restrictions, which cybersecurity experts attributed to Chinese state-backed actors. GitHub's engineering team mitigated the attack after sustained defensive efforts across multiple days, though service disruptions occurred intermittently throughout the incident period. The scale of compromised traffic through Baidu's infrastructure created unprecedented volumetric challenges for GitHub's network defenses. No data breaches or system compromises beyond the service outages were reported in connection with this incident.
On August 25, 2015, GitHub again faced a DDoS attack beginning at approximately 5:30 a.m. Eastern Time, with the company confirming the assault via its status log at 6:30 a.m. The platform restored full service by 9:00 a.m. after implementing unspecified mitigation measures. Unlike the March incident, GitHub provided no technical details regarding attack vectors, traffic volume, or infrastructure impacts. The company did not respond to media inquiries about the attack's origin, perpetrator motivations, or potential connections to the earlier China-linked campaign. No evidence emerged during the incident window suggesting content removal demands similar to the March attackers' objectives. Service disruptions were confined to connectivity issues without reports of data loss or unauthorized access. GitHub's status updates indicated normal operations resumed within three and a half hours of initial detection, implying a shorter duration and potentially smaller scale compared to the week-long March event. The absence of confirmed attribution or technical specifics left unresolved whether this constituted a new threat actor's actions or a recurrence of prior adversarial activity against the platform.