China has been 'hijacking the vital internet backbone of western countries'

Chinese government turned to local ISP for intelligence gathering after it signed the Obama-Xi cyber pact in late 2015, researchers say.

A Chinese state-owned telecommunications company has been "hijacking the vital internet backbone of western countries," according to an academic paper published this week by researchers from the US Naval War College and Tel Aviv University.

The culprit is China Telecom, the country's third-largest telco and internet service provider (ISP), which has had a presence inside North American networks since the early 2000s when it created its first point-of-presence (PoP).

PoPs are data centers that do nothing more than re-route traffic between all the smaller networks that make up the larger internet.

These smaller networks are known as "autonomous systems" (AS) and they can be the networks of big tech companies like Google, your friendly neighborhood ISP, big tier-1 ISPs like Verizon, university networks, bank networks, web hosting companies, and all entities big enough to have received their own block of IP addresses.

Traffic travels between these AS networks with the help of the Border Gateway Protocol (BGP). This protocol was created in the early 80s and does not feature any security controls, allowing anyone to announce a bad BGP route and receive traffic that was not intended for their network.

In the vast majority of cases, these incidents --called BGP hijacks-- happen because of configuration mistakes and are resolved in minutes or hours.

But there are also some networks that hijack BGP routes to send legitimate traffic through malicious servers. They do this to carry out man-in-the-middle traffic interception, phishing attacks to steal passwords, or to record HTTPS-encrypted traffic to later decrypt it by leveraging cryptographic attacks such as DROWN or Logjam.

In a research paper published this week, researchers reveal that China Telecom has been one of the internet's most determined BGP hijackers around.

Researchers point out that the Chinese government, through China Telecom, has started abusing BGP hijacks after it entered into a pact with the US in September 2015 to stop all government-back cyber operations aimed at intellectual property theft.

"This necessitated new ways to get information while still technically adhering to the agreement," said the researchers. "Since the agreement only covered military activities, Chinese corporate state champions could be tasked with taking up the slack. [...] Enter China Telecom."

The research duo says they've built "a route tracing system monitoring the BGP announcements and distinguishing patterns suggesting accidental or deliberate hijacking."

Using this system, they tracked down long-lived BGP hijacks to the ten PoPs --eight in the US and two in Canada-- that China Telecom has been silently and slowly setting up in North America since the early 2000s.

"Using these numerous PoPs, [China Telecom] has already relatively seamlessly hijacked the domestic US and cross-US traffic and redirected it to China over days, weeks, and months," researchers said.

"While one may argue such attacks can always be explained by normal' BGP behavior, these, in particular, suggest malicious intent, precisely because of their unusual transit characteristics -namely the lengthened routes and the abnormal durations."

In their paper, the duo lists several long-lived BGP hijacks that have hijacked traffic for a particular network, and have made it take a long detour through China Telecom's network in mainland China, before letting it reach its intended and final destination.

  • Starting from February 2016 and for about six months, routes from Canada to Korean government sites were hijacked by China Telecom and routed through China.
  • On October 2016, traffic from several locations in the USA to a large Anglo-American bank headquarters in Milan, Italy was hijacked by China Telecom to China.
  • Traffic from Sweden and Norway to the Japanese network of a large American news organization was hijacked to China for about six weeks in April/May 2017.
  • Traffic to the mail server (and other IP addresses) of a large financial company in Thailand was hijacked several times during April, May, and July 2017. Some of the hijack attacks started in the USA.
china-telecom-bgp-hijack-example.png
Demchak et al.

Researchers also note that China's internet network is a system that's largely closed off and isolated from the rest of the internet, to which it connects only via three nodes located in Beijing, Shanghai, and Hong Kong.

This isolationist approach to its internet infrastructure means that China wouldn't be able to carry out BGP hijacks for international traffic because very little goes through its mainland nodes. This is why the PoPs it set up in North America, but also throughout Europe and Asia, are so crucial.

"That imbalance in access allows for malicious behavior by China through China Telecom at a time and place of its choosing, while denying the same to the US and its allies," researchers noted.

"The prevalence of and demonstrated the ease with which one can simply redirect and copy data by controlling key transit nodes buried in a nation's infrastructure requires an urgent policy response."

ZDNet readers can find out more from the research paper, entitled "China's Maxim - Leave No Access Point Unexploited: The Hidden Story of China Telecom's BGP Hijacking," which is available for download, here.

RELATED SECURITY COVERAGE: