Quantumrun

IMAGE CREDIT:

iStock

Hijacking internet traffic: When data is rerouted to an unintended network

Alarming incidents of Internet traffic being rerouted to state-owned networks are causing national security concerns.

Author:
Author name
Quantumrun Foresight
October 20, 2022

Insight summary

Internet traffic hijacking is on the rise due to vulnerabilities in outdated network systems. While encryption has reduced the frequency of such incidents, rerouted data through state-controlled systems poses ongoing risks, including the potential for data interception and manipulation. Efforts to counteract these threats include increased investment in network security, international cooperation on cybersecurity standards, and the gradual adoption of measures for safer internet routing.

Hijacking internet traffic context

Internet traffic hijack rerouting and disruptions have become extremely severe, particularly those instigated by China and Russia between 2016 and 2022. Experts urge governments to consider these incidents as national security risks.

Hijacking internet traffic, also known as border gateway protocol (BGP) hijacks, is a product of weak links in the Internet infrastructure. These vulnerabilities can be as simple as an outdated Internet service provider (ISP) protocol, which cybercriminals leverage to “steal” traffic and route it to a specific network. The BGP is considered the “postal service of the Internet.” The system is used to discover quick routes from points A to B across global autonomous systems, similar to package delivery services FedEx or DHL. Border gateway protocol errors are frequent; however, governments are increasingly taking notice when traffic is routed through state-owned systems.

Most mistakes last seconds; nonetheless, some issues can persist for hours, enough time for volumes of data to be intercepted and manipulated. In 2021, the rerouting of European Internet traffic through state-owned China Telecom (CT) persisted for two hours. As a result, the US revoked CT’s ability to operate in the country, citing the company as a national security risk. Although encryption has made hijacked internet traffic less common, data that flows through a state actor’s system can still be stored, analyzed for weaknesses, and attacked later.

Disruptive impact

There are several challenges in the detection and prevention of internet traffic hijacks. According to a report published in the Cyber Defense Review, there are some solutions, but they lack standardization. However, the Resource Public Key Infrastructure (RPKI), also called Resource Certification, designed by the Internet Engineering Task Force (IETF) to solve the AP (address prefix or IP address) ownership verification issue, seems to be a good standard.

This measure ensures that the network is legitimate. However, the implementation has been relatively slow. According to the US National Institute of Standards and Technology (NIST), only one-third of APs have valid RPKI entries.

Furthermore, the increasing number of Chinese ISPs has made it more complex to detect BGP hijacks. Since the 2010s, two Chinese telecommunications providers, CT and China Mobile International (CMI) have significantly expanded their networks by increasing Point of Presence (PoP, physical locations or infrastructure where networks share connections) worldwide. Both are significant global Internet traffic transit players, with unprecedented access to countries’ networks.

For example, in 2019, some African nations, like Angola and South Africa, have increasingly used CT’s services. At the same time, Russian TransTelecom began showing several African prefixes it had acquired from CT. Consequently, even though the traffic was destined for destinations worldwide, roughly 350 APs, mainly in Africa, started flowing through TransTelecom through CT’s PoP in Moscow.

Implications of hijacking internet traffic

Wider implications of hijacking internet traffic may include:

Increased incidents of Internet hijacks as artificial intelligence is used to detect weak entry points in outdated network systems, particularly in developing nations.

More tech companies, like Google and Meta, experiencing service shutdowns or slowdowns.

More countries banning or restricting the use of China and Russia network infrastructures.

Governments working together to implement a standardized cybersecurity solution to BGP hijacking, including levying sanctions against China and Russia.