Russian state-owned telecommunications provider Rostelecom sign on the facade of building showing BGP hijacking of internet traffic

Russian Rostelecom Compromises Internet Traffic Through BGP Hijacking

In a recent BGP hijacking incident, internet traffic meant for 200 major networks, content delivery networks (CDNs), and cloud providers were redirected through Russian state-owned telecommunications provider, Rostelecom. The hijack redirected over 8,800 major internet traffic routes through its servers for about an hour. Major companies affected by the hijack included Google, Amazon, Facebook, Akamai, Cloudflare, GoDaddy, Digital Ocean, Joyent, LeaseWeb, Hetzner, and Linode.

The working of BGP hijacking in compromising internet traffic

BGP is an acronym that stands for the Border Gateway Protocol. It is a system used to route internet traffic between networks across the globe. Using the BGP protocol, routers advertise network routes that they have access to. This allows peers to find the shortest route to the destination. The drawback of using this system is that it enables malicious actors to trick other peers that the destination servers are on their network. The tricked peers will then send all data to the hijacker’s server using the routing information provided. The attacker then stores the data for later analysis after decryption. Before advances in the use of cryptography, BGP hijacks allowed malicious entities to perform the man-in-the-middle (MitM) attacks. However, many incidents of BGP hijacking are a result of operator error instead of intentional BGP hijack. Such errors occur when the operator mistypes the ASN (autonomous system number).

Reported BGP hijackings

Various incidents of BGP hijacking have been reported multiple times. In 2018, a reported BGP hijacking incident involved a small Nigerian ISP that hijacked Google’s internet traffic. A year later, China’s state-owned telecom, hijacked the European internet traffic. The Russian telco giant has also been involved in additional BGP hijacking over the past years.

BGPMon founder Andree Toonk believes the latest BGP hijacking happened by accident. He said on Twitter that the internet traffic hijacking happened because Rostelecom was shaping its system and might have accidentally exposed its internal network BGP routes to the public internet.

Because of the nature of BGP hijacking, malicious actors can make the attack appear as an accident. Although it is impossible to conclude whether the latest incident was an honest mistake, it is unlikely that the two countries would be making such errors frequently.

Russian and Chinese BGP hijacking raises eyebrows

Any BGP hijacking involving autocratic countries such as Russia and China raises eyebrows. Similarly, the frequency of BGP hijacking incidents emanating from these two countries is suspicious. China Telecom is the most frequent offender of internet traffic hijacking using this method. Similarly, Russia’s Rostelecom is a habitual offender. In 2017, the Russian telecom giant managed to hijack internet traffic of only major financial institutions, raising questions.

The geopolitical atmosphere existing between the two countries and the United States also raises concerns when such incidents happen. Other concurrent events taking place leads experts to think the BGP hijacking is a result of more than just human error. The latest hijacking by Russian company happened just while the Internet Routing Registry was facing technical difficulties. The IRR operated by RIPE accidentally deleted 2,669 route origin authorization (ROA). The system is used to confirm whether routing information published by a peer is correct. The RIPE system affected servers in Europe, West Asia and states of the former USSR. It would be very unusual that Russia publishes incorrect routing information just when there is no method to verify the information. There is the possibility that Russia was aware of the deletion of the confirmation registry, and took the opportunity.

Justin Sherman, Nonresident Fellow with the Atlantic Council Cyber Statecraft Initiative notes that the pattern of BGP hijacking events involving China and Russia is suspicious.

“This has happened before with China Telecom, a Chinese state-owned telecommunications company, where sensitive internet traffic from different countries has mysteriously found its way through China Telecom’s systems on the way from point A to point B. It has also happened with Rostelecom before — which is why even though this event could be nothing more than an accident, the redirection of internet traffic from many major tech companies through Rostelecom should at the very least raise eyebrows. That is also the case given the way Moscow has worried about the vulnerability of the internet recently, including with protocols, and the possibility that officials are similarly examining how those vulnerabilities could be exploited against others.”

Sherman notes that internet security professionals do not consider the safety of internet protocols despite them being vulnerable BGP is vulnerable to hijacking.

“When we think about internet security worldwide, we probably think more about things like strong passwords and don’t think too much about the protocols that actually handle and route internet data around the world — yet many of them are quite vulnerable to hijacking and manipulation.”

Although he accepts that malfunctions could lead to such incidents, he believes actors could maliciously exploit the opportunity, “Sometimes there are malfunctions around BGP that cause traffic to take an unexpected and unintended path from its source to its destination on the internet. But other times, BGP can be maliciously’ hijacked’ so that internet traffic goes through a particular location — the point being for a malicious actor to potentially access important and sensitive information.”