Two new reports indicate that China has been using abnormal internet routing patterns, which may have been intended for global internet hacking.
After a paper was published by the War College, detailing China’s practice of using “border gateway protocol (BGP) hijacking” to hack global web traffic, an internet analysis expert from Oracle confirmed China’s unusual routing patterns, according to an Oracle blog post on Monday.
“There is truth to the assertion that China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years. I know because I expended a great deal of effort to stop it in 2017,” said Doug Madory, Oracle’s Director of Internet Analysis.
China Telecom misdirected internet traffic, says Oracle report: The Naval War College published a paper titled, “China’s Maxim – Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking” that contained a number of claims about… https://t.co/11imFYbVG5 pic.twitter.com/ipQT8tMyRq
— CS Threat Intel (@cipherstorm) November 6, 2018
The War College paper explained that China uses at least 10 points of presence (PoPs) across the North American internet systems to subtly hijack and divert web traffic and gather valuable information from it.
Since the internet is a web of many networks – many of which are not interconnected – networks rely on communications from one another to determine which one will help transmit their data the fastest.
China is able to hijack these networks through BGP hijacking – using their own network to communicate with other networks, and presenting theirs as a shortcut that other networks flock to for the sake of faster transmission.
“Building a successful BGP hijack attack is complex, but much easier with the support of a complicit and preferably large-scale ISP [Internet Service Provider] that is more likely to be included as a central transit point among a sea of [Autonomous Systems],” the War College paper explained.
“As a result, today most BGP hijacks are the work of government agencies or large transnational criminal organizations with access to, leverage over, or control of strategically placed [Internet Service Providers],” the paper noted.
— ZDNet (@ZDNet) October 27, 2018
Madory described a brief traffic routing anomaly identified in Dec. 2015 during which internet traffic was hijacked by Korean networks. In response, traffic from big companies such as Verizon began routing through China Telecom networks – a path their particular networks had never before taken.
Suddenly, data transmitted by U.S. networks to U.S. networks were oddly transmitted through network points in mainland China.
Madory contacted Verizon and other companies, prompting them to apply filters to their networks.
“That action reduced the footprint of these routes by 90% but couldn’t prevent them from reaching those who were peering directly with China Telecom,” he said.
“We would classify this as a peer leak and the result was China Telecom’s network being inserted into the inbound path of traffic to Verizon,” Madory said.
The War College paper called for urgent action, such as tripling the number of U.S. Telecoms PoPs relative to the number of Chinese Telecom PoPs in order to correct the imbalance of foreign nations’ PoPs.
“More balance between democratic and authoritarian information technology systems by enforcing reciprocal fairness is likely have a significant positive influence on the currently deleterious trends in international cyber insecurity,” the paper explained. “This could be first step in making hijacking internet traffic much more difficult and costly for adversaries.”