Virtual wargame 'experiment' hits Google with 'worst ever' internet hijack...
Russia and
China's 'attack on Google': Virtual wargame 'experiment' hits search giant with
'worst ever' internet hijack that intercepted search, cloud and business
services
·
An internet
traffic diversion disrupted Google services and re-routed its data
·
Major internet
providers in China and Russia intercepted data from Google users
·
Attack may prelude more
wide-scale attacks from the nations involved in future
·
Interruptions
lasted for nearly 1.5 hours until 10:30pm GMT (5:30pm EST)
·
Google said it
had no reason to believe the traffic hijacking was malicious
Google has been hit by the 'worst ever' internet hijack in the
company's history, security experts say.
Information from users' Google searches, cloud-hosting services and the
company's bundle of collaboration tools for businesses - known as G Suite -
were all affected.
Data belonging to users across the globe was intercepted by servers in
Nigeria, China and Russia - including those run by major state-owned
telecoms providers.
Security experts suggested the hack was a 'wargame experiment' - meaning
it may prelude similar, more wide-scale attacks from the nations involved in
future.
Google is downplaying Monday's incident, saying it does not believe it
was malicious, but has failed to allay fears that the personal data of millions
of users may have been compromised.
The company is under increasing pressure to protect users after a string
of high-profile data leaks, including last month's breach of its Google+ social
network, which exposed the private information of an estimated 500,000 people.
The type of traffic misdirection employed in the latest incident, known
as border gateway protocol (BGP) hijacking, can knock essential services
offline and facilitate espionage and financial theft.
It can result either from misconfiguration - human error, essentially -
or from malicious action.
In two recent cases, traffic rerouting has hit financial sites,
potentially exposing people's private data to malicious hackers.
In April 2017, a state-owned Russian Telecoms firm hijacked the traffic
of MasterCard and Visa, allowing them enumerate who was imitating
connections.
This past April, another hijacking enabled hackers to steal
$152,000-worth (£118,000) of the cryptocurrency Ether from users of the website
EtherWallet.com.
Google service interruptions lasted for nearly one and a half hours and
ended about 10:30pm GMT (5:30pm EST) on Monday, network service companies said.
Network
intelligence company ThousandEyes uncovered the hijack.
Alex Henthorn-Iwane, an executive at ThousandEyes, called Monday's
incident the worst affecting Google that his San Francisco company has seen.
He said he suspected nation-state involvement because the traffic was
effectively landing at state-run China Telecom.
A recent study by U.S. Naval War College and Tel Aviv University
scholars found that China systematically hijacks and diverts U.S. internet
traffic.
ThousandEyes named the companies involved in Monday's incident, in
addition to China Telecom, as the Russian internet provider Transtelecom and
the Nigerian ISP MainOne.
According to Professor Alan Woodward, a computer scientist at the
University of Surrey, the hijack could have been part of an elaborate
surveillance scheme.
He told MailOnline: 'Access to people's data is a "strategic
asset" for surveillance, and Russia and China have carried out hijack
attacks to collect that data before.
'Most data like your online messages are encrypted, meaning anyone with
access to that data could not easily read them.
'But while they could not read the messages themselves, they could track
who talked to whom, when, and for how long.
'This would be useful information to help build up intelligence data on
high-profile individuals of interest to foreign governments.'
Both ThousandEyes and the U.S. network monitoring company BGPmon said
the internet traffic detour originated with the Nigerian company MainOne.
All Google services are down, and my
job runs on all things Google. So now I'm at work like
WHAT DO WE KNOW ABOUT THE COMPANIES INVOLVED IN THE GOOGLE HIJACK?
China Telecom
China Telecom is a state-owned telecommunication company and the third largest
mobile telecoms provider in China.
The company is embedded in North American networks, with 10
points-of-presence (PoP) access points spanning major internet exchange
locations.
China Telecom has two PoPs in Canada, and eight in the United
States.
Researchers reported in October that Chinese telecom firms had been
hijacking internet traffic on a regular basis.
Chris Demchak of the United States Naval War College and Yuval Shavitt
of the Tel Aviv University in Israel traced global border gateway protocol
(BGP) announcements.
They discovered several attacks by state-run China Telecom over the past
few years, according to reports in Secure Reading.
They found that China redirected traffic between Canada and Korean
government networks to its point of presence (PoP) in Toronto for six months in
2016.
A recent study by U.S. Naval War College and Tel Aviv University
scholars says China systematically hijacks and diverts U.S. internet
traffic.
Trans Telecom
Trans Telecom is a state-owned Russian
telecommunications company that owns one of the largest networks in the world
of fibre optical cables.
The company is a full subsidiary of Russian
national railway operator, Russian Railways.
TTK has been actively connecting broadband
users in the retail market since early 2011.
In 2017, internet analysts began noticing routing databases picking up TransTeleCom-provided
connections for North Korea.
North Korea has been blamed by Western governments for several major
cyber attacks in recent years, including against banks and Sony Pictures.
TransTeleCom would not confirm any routing deal with the country.
But, analysts said the connection via Russia was handling around 60 per
cent of the country's internet traffic.
ISP MainOne
MainOne is West Africa's connectivity and data centre.
The company provides network, internet solutions and cloud services to
providers in Nigeria, Ghana and all of West Africa.
Since its launch in 2010, MainOne has developed a reputation for
reliable service, becoming the major provider of wholesale internet services to
major telecom operators and government agencies.
The leak started when the cable company based in Lagos, Nigeria suddenly
updated tables in the Internet’s global routing system to improperly declare
that its autonomous system was the proper path to reach prefixes belonging to
Google.
Within minutes, Chine Telecom accepted the route, followed by
Russian-based Transtelecom.
MainOne has a peering relationship with Google via IXPN in Lagos and has
direct routes to Google, which may have led to the leak.
On Twitter, BGPmon wrote: 'Appears that Nigerian 'MainOne Cable
Company' leaked many prefixes to China telecom, who then advertised it to
AS20485 TRANSTELECOM (russia). From there on others appear to have picked this
up.'
Neither was ready to more definitively pinpoint the cause.
On Twitter, MainOne claimed the reroute was caused by an error during a
planned network upgrade.
The company wrote: 'We have investigated the advertisement of Google
prefixes through one of our upstream partners.
'This was an error during a planned network upgrade due to a
misconfiguration on our BGP filters.
'The error was corrected within 74mins & processes put in place to
avoid reoccurrence.'·
Professor Woodward told MailOnline that because the hijack caused
people's web services to shut down, the incident was likely the result of human
error.
Similar attacks have previously allowed people to continue using the
hijacked service so as not to raise suspicion, though Professor Woodward added
that experts 'could not definitively rule out a malicious attack'.
Regardless of the source, the leak put the traffic of users into foreign
hands, researchers said.
The diversion
'at a minimum caused a massive denial of service to G Suite and Google Search'
and 'put valuable Google traffic in the hands of ISPs in countries with a long
history of Internet surveillance,' ThousandEyes said in a blog
post.
A Google spokesperson told MailOnline: 'We're aware that a portion of
internet traffic was affected by incorrect routing of IP addresses, and access
to some Google services was impacted.
'The root cause of the issue was external to Google and there was no
compromise of Google services.'
HOW
CHINA ROUTINELY HIJACKS GLOBAL INTERNET TRAFFIC
Researchers reported in October that a Chinese telecoms firms had been
hijacking internet traffic on a regular basis.
Chris Demchak of the United States Naval War College and Yuval Shavitt
of the Tel Aviv University in Israel traced global border gateway protocol
(BGP) announcements.
They
discovered several attacks by state-run China Telecom over the past few years,
according to reports in Secure Reading.
They found that China redirected traffic between Canada and Korean government
networks to its point of presence (PoP) in Toronto for six months in
2016.
Internet traffic normally takes a short route which is through Canada,
the U.S and then to Korea.
Traffic between Scandinavia and Japan was also hijacked between April
and May 2017.
PoPs manage traffic between all the smaller networks called autonomous
systems (AS).
China has ten PoPs in North America, but it doesn't allow any foreign
country PoPs in their country.
The traffic between two autonomous systems are managed with the help of
Border Gateway Protocol (BGP).
BGP hijacks can also occur by mistake if this system is set up
incorrectly.
Most of BGP hijacking attacks nowadays are the work of government
agencies or criminal organisations with access or control of strategically
placed ISPs, experts warn.
'Building a successful BGP hijack attack is complex, but much easier
with the support of a complicit and preferably large scale ISP that is more
likely to be included as a central transit point among a sea of ASs,' the
report said.
'China Telecom has ten strategically placed, Chinese controlled internet
'points of presence'4 (PoPs) across the internet backbone of North America.'
'Vast rewards can be reaped from the hijacking, diverting, and then
copying of information-rich traffic going into or crossing the United States
and Canada – often unnoticed and then delivered with only small
delays.'
The full
findings of the study were published in the Journal of the Military Cyber Professionals Association.
The company has offered little additional information.
Much of the internet's underpinnings are built on trust, a relic of the
good intentions its designers assumed of users.
One consequence: Little can be done if a nation-state or someone with
access to a major internet provider - or exchange - decides to reroute traffic.
Mr Henthorn-Iwane said Monday's hijacking may have been 'a war-game
experiment.'
The theory was backed by Professor Woodward, who said a global hijack
attack could have been carried out by Russia and/or China 'simply to see if
they could'.
He told MailOnline: 'We all rely on the internet nowadays - why hit a
country with bombs and bullets if you can disrupt their web access? It
would cause chaos.'
Researchers also reported in October that a Chinese telecoms firm had
been hijacking internet traffic on a regular basis.
Chris Demchak of the United States Naval War College and Yuval Shavitt
of the Tel Aviv University in Israel traced global border gateway protocol
(BGP) announcements.
They discovered
several attacks by state-run China Telecom over the past few years, according
to reports in Secure Reading.
They found that China redirected traffic between Canada and Korean
government networks to its point of presence (PoP) in Toronto for six
months in 2016.
Comments
Post a Comment