Activists battling internet censorship in China are reporting that they have proof of a massive online assault on their websites by the Chinese authorities. The attack, which began last Thursday, targeted two GitHub projects designed to combat censorship in China: GreatFire and CN-NYTimes, a Chinese language version of the New York Times.

Independent researchers, in response to GreatFire’s call for help, have reported the following discoveries:

• Millions of global internet users, visiting thousands of websites hosted inside and outside China, were randomly receiving malicious code which was used to launch cyberattacks against GreatFire.org’s websites.

• Baidu’s Analytics code (h.js) was one of the files replaced by malicious code which triggered the attacks. Baidu Analytics, akin to Google Analytics, is used by thousands of websites. Any visitor to any website using Baidu Analytics or other Baidu resources would have been exposed to the malicious code..

• That malicious code is sent to “any reader globally” without distinguishing that user’s geographical location, meaning that the authorities did not just launch this attack using Chinese internet users—they compromised internet users and websites everywhere in the world.

• The tampering takes places someplace between when the traffic enters China and when it hits Baidu’s servers. This is consistent with previous malicious actions and points to the Cyberspace Administration of China (CAC) being directly involved in these attacks.

Sample graph from the report generated from one of the log files based on the 18th of March 2015 attack.

GreatFire has released technical details of the attack in a report titled: “Using Baidu to steer millions of computers to launch denial of service attacks”.