Data router hijacking: why would Russia redirect Apple’s traffic?


Nation states and financially motivated attackers can exploit the trusting nature of world wide web data router the Border Gateway Protocol (BGP) to gather intelligence or steal funds, experts say.

Data from the Mutually Agreed Norms for Routing Security (MANRS), an initiative for reducing routing threats, suggests that for 12 hours last month, the network traffic Apple customers use to access the company’s services was redirected to Rostelecom, Russia’s state-owned telecommunications company.

While MANRS researchers noted there was no information on whether any data was stolen or services affected, the incident would suggest a BGP hijacking if the traffic were rerouted on purpose.

Karim Hijazi, CEO of cyber intelligence company Prevailion, explained that the BGP is a routing protocol for the internet. Its purpose is to route traffic via the most direct path to its destination.

“The problem with BGP, however, is that it’s essentially based on trust. BGP relies on each network node to tell the truth about which IP addresses it owns. If those networks aren’t telling the truth, internet traffic can be intercepted or disrupted,” Hijazi told Cybernews.

Kremlin-Russia-Broken
Kremlin walls. Image by Shutterstock.

Hijacking street signs

Since the BGP was built on protocol, there are no inherent security measures to prevent accidental or deliberate hijacking attempts. For example, in 2008, Pakistan Telecom inadvertently shut down YouTube for most of the planet.

Acting under government instructions to ban access to the popular video platform, the Pakistan Telecommunications Authority accidentally routed virtually all of YouTube traffic to Pakistan, crashing the servers of local internet providers and YouTube as well.

Other attackers have employed BGP hijacking for financial gain. Unknown attackers took over traffic destined for networks belonging to Amazon, OVH, Digital Ocean, and others for four months in 2014.

It is estimated that the hijacker used the attack to redirect crypto miners’ connections to a mining pool controlled by the attackers, allowing them to illicitly earn around $83,000 worth of crypto.

According to Steven Erwin, incident response consultant at cybersecurity firm TrustedSec, the inbuilt trust of the BGP not only makes attacks possible but also makes them regular.

“This isn’t uncommon, due to the inherent trust between BGP operators and the limited amount of BGP security. There have been a few examples of this where BGP hijacking has ended in cryptocurrency theft [and taken] away countries’ ability to use the internet,” Erwin said.

"The problem with BGP, however, is that it’s essentially based on trust. BGP relies on each network node to tell the truth about which IP addresses it owns. If those networks aren’t telling the truth, internet traffic can be intercepted or disrupted,"

Karim Hijazi, CEO of cyber intelligence company Prevailion, said.

Nation-state league

Nation-states are the likeliest culprits behind BGP hijacking attacks. That’s due to the system design, since to trick the BGP attackers must control the autonomous system numbers that are mostly managed by internet service providers (ISPs) and governments.

Hijazi explained that BGP hijacking could benefit nation-states in several ways. Most obviously, intercepting web traffic allows an attacker to peek into the data flow and shut down internet access to large swathes of the population.

“A repressive regime could use BGP hijacking to suppress various websites and cut its domestic population off from huge swathes of the world wide web. They can also target specific websites for surveillance purposes, by determining who is visiting those sites and intercepting any or all communications,” Hijazi said.

If Russia did redirect Apple’s traffic intentionally, it wouldn’t be the first time that large tranches of internet chatter were redirected to Russia’s servers. For example, in 2017, traffic for major tech companies such as Google, Facebook, Apple, Twitch, and Microsoft was routed through a Russian ISP.

A year later, the Chinese government-controlled ISP rerouted traffic from Europe's biggest mobile providers. The data went to Europe through China for more than two hours.