China Telecom accused of exploiting points-of-presence to conduct internet espionage
Series of BGP hijackings by China Telecom are no accident, warn authors of new Military Cyber Affairs report
China Telecom has been accused of abusing its position as a point-of-presence inside networks in the US and Canada in order to help China's intelligence agencies conduct espionage.
The abuse, in the form of hijacks of the Border Gateway Protocol (BGP), followed on from an agreement between the US and China in September 2015 to discontinue government-backed cyber operations - with state-owned China Telecom being used to skirt the letter of the agreement instead.
Vast rewards can be reaped from the hijacking, diverting and then copying of information-rich traffic going into or crossing the US and Canada
That's the claim of a joint paper from Chis Demchak of the US Naval War College and Yuval Shavitt of Tel Aviv University, published earlier this week. Using a route-tracing system, they claim that China Telecom has systematically hijacked internet traffic on a regular basis by exploiting known weaknesses in BGP.
"China Telecom has ten strategically placed Chinese-controlled internet points of presence across the internet backbone of North America.
"Vast rewards can be reaped from the hijacking, diverting and then copying of information-rich traffic going into or crossing the US and Canada - often unnoticed and then delivered with only small delays," claim Demchak and Shavitt.
China Telecom points of presence in North America
Furthermore, the authors claim that the technique described in the paper isn't just used in North America, but around the world where Chinese state-controlled telecoms companies enjoy a point-of-presence. The authors discount the explanation that the hijacks are merely the result of routing table errors.
"Errors can occur given the complexity of configuring BGP, and these possible errors offer covert actors a number of hijack opportunities.
"If network AS1 [for example] mistakenly announces through its BGP that it owns an IP block that actually is owned by network AS2, traffic from a portion of the internet destined for AS2 will actually be routed to - and through - AS1. If the erroneous announcement was maliciously arranged, then a BGP hijack has occurred," explains the report.
Most BGP hijacks are the work of government agencies or large transnational criminal organisations with access to, leverage over, or control of strategically placed ISPs
Furthermore, it adds, most BGP hijacks today aren't the work of small-time hackers, but of national governments' security agencies.
"Building a successful BGP hijack attack is complex, but much easier with the support of a complicit and, preferably, large-scale internet service provider that is more likely to be included as a central transit point…
"As a result, today most BGP hijacks are the work of government agencies or large transnational criminal organisations with access to, leverage over, or control of strategically placed internet service providers," claims the report.
It adds that on 8 April 2010, China Telecom hijacked 15 per cent of internet traffic for 18 minutes "in what is believed to be both a large-scale experiment and a demonstration of Chinese capabilities in controlling the flows of the internet".
China Telecom has already relatively seamlessly hijacked the domestic US and cross-US traffic and redirected it to China over days, weeks and months…
However, these BGP hijacks have not gone unnoticed, claim the researchers. Tel Aviv University built a route-tracing system specifically in order to monitor the occurrence of BGP hijacking, which is sufficiently detailed to be able to distinguish between ‘accidental' hijacks and deliberate BGP hijacks.
This tool, they claim, points to China Telecom using its points-of-presence across North America to conduct BGP hijacking operations.
"Few other non-American ISPs have such a widespread presence on US soil. Using these numerous points-of-presence, China Telecom has already relatively seamlessly hijacked the domestic US and cross-US traffic and redirected it to China over days, weeks and months… The pattens of traffic revealed in trace route research suggests repetitive IP hijack attacks committed by China Telecom," claims the report.
What gives it away as deliberate attacks, rather than just honest mistakes, they continue, is the unusual transit characteristics of the hijacks in terms of lengthened routes and abnormal durations. The authors cite a number of instances to back-up their claims.
These include:
- The hijacking of routes from Canada to South Korean government sites starting in February 2016 and lasting for about six months;
- The October 2016 hijacking from several locations in the US to the headquarters of an Anglo-America bank in Milan, Italy; and,
- The hijacking of traffic between Scandinavia and Japan between April and May 2017, targeting a major US news organisation.
In the Italian example above, there's evidence that engineers had difficulty routing the traffic on to Milan and, in the end, gave up - the traffic was never actually delivered, the authors claim.
"The traffic stumbles on China Telecoms points-of-presence due to the shortest route bias in BGP rules and then is hijacked in the US by the Chinese network," the report warns.
Part of the problem, suggest the authors, is that there is no reciprocity - the Chinese government prevents any non-Chinese telecoms or networking company from enjoying the same points of presence on the internet in China that China Telecom enjoys in the US, Canada and across the world.
IT security failings are, increasingly, costing CISOs, CIOs and CEOs their jobs.
With business utterly dependent on IT, it's not enough for senior executives to dismiss security as ‘techie stuff'. At Computing's Enterprise Security & Risk Management Live event, hear from the National Crime Agency, ex-hackers and big-business CISOs to learn about how they are tackling cyber security.
For more information, check out the dedicated event website. Attendance is FREE to IT leaders and senior IT pros.