Cyber-security puzzle: Who is sending Internet traffic on long, strange trips?
Loading...
Data streams from US financial companies and foreign governments sent out over the Internet are being rerouted by computer hackers 鈥 diverted to overseas locations where they can be spied upon or altered, then shot along to their expected destination with barely a delay and nobody the wiser, cyber-security experts say.
Victims whose Internet traffic was diverted included major US financial institutions, network service providers, and foreign governments including South Korea, Germany, the Czech Republic, Lithuania, Libya, and Iran.
Beginning in February and then again in August, Internet data streams were redirected almost daily 鈥 with different entities targeted sometimes over multiple days 鈥 according to Renesys, a cyber-security company in Manchester, N.H., that specializes in monitoring Internet pathways.
In each case, the intentional diversion sent the company or government data stream cascading overseas to a distant location 鈥 then quickly on to its expected destination in less than a second 鈥 with nobody noticing. Well, almost nobody.
Doug Madory, a Renesys expert, is one of the few able to see what was going on. As he watched his computer monitor in late summer, he says, unidentified hackers subtly diverted a US Internet provider鈥檚 Denver data stream 鈥 its e-mails and electronic file transfers 鈥 that were intended to travel just across town to another Denver location.
鈥淩oute hijacking has been around for a long time, but it鈥檚 typically been accidental, brief, and highly public,鈥 Mr. Madory says. 鈥淲hat we鈥檙e seeing now is subtle, almost impossible to detect 鈥 a man-in-the-middle setup to intercept data over relatively long periods of time: several hours or even an entire day. It looks like a targeted attack by either a criminal organization or nation state.鈥
Typically the Denver data would follow the cheapest, if not most direct, path over the Internet via fiber optic lines, routers, and servers to Dallas, then to Kansas City, then back to Denver, Madory says. Out of the way, but not unduly so.
But what he saw in August was the Denver data instead skipping more than 3,600 miles from Chicago to New York and on to London 鈥 then finally to an Internet service provider (ISP) in Reykjavik, Iceland.
That wasn鈥檛 the end of the trip. From there, the Denver data shot 3,600 miles back to the US via transit points in Montreal, Chicago, Kansas City 鈥 and at last to its intended destination just across town in Denver. The entire 12-stop trip took just two-tenths of a second 鈥 about one-tenth longer than usual.
It was not enough of a delay for most people to notice. Yet during its visit to Iceland, the Denver data stream could have been copied or tampered with, Madory and other experts say.
The phenomenon is called Border Gateway Protocol hijacking, or BGP hijacking. Until now such occurrences have been very brief 鈥 just a few minutes until the problem is detected.
In one example, Pakistani authorities, angry over an anti-Muslim video posted on YouTube in February 2008, ordered the nation鈥檚 telecom provider to cut access to the YouTube site.聽But instead of blocking YouTube access just in Pakistan, the fake Internet address that technicians used to 鈥渉ijack鈥 traffic to the site leaked to ISPs outside the country 鈥 blocking YouTube worldwide for about two hours.
In 2010 a Chinese ISP momentarily hijacked about 10 percent of all Internet traffic, including data that should have gone to CNN, Dell, Apple, and Starbucks but was mistakenly sent to China instead. The incident lasted for just minutes, and the ISP said it was an accident caused by the misconfiguration of its system.
But the recent, extremely subtle attacks detected by Renesys were conducted over many hours or even a day or more 鈥 and look a lot like a classic 鈥渕an-in-the-middle鈥 cyber-espionage attack in which a victim organization never sees its data being intercepted en route to its intended destination, others agree.
鈥淭his looks like a sophisticated approach probably only available to elite hacktivists, criminal groups, and nation states,鈥 says Richard Bejtlich, chief security officer for Mandiant, based in Alexandria, Va. 鈥淚f you can do a man-in-the-middle attack, then you can get access to people鈥檚 banking credentials. So it鈥檚 probably most interesting to criminal organizations.鈥
Intelligence organizations in Russia and China might be interested, although the National Security Agency perhaps less so. The NSA already has direct access to fiber optic cables worldwide, according to documents leaked by Edward Snowden, the former NSA contractor.
鈥淐hina and Russia are well instrumented inside their borders, but when they want access outside they have to do these kinds of tricks, so that might be what we鈥檙e seeing,鈥 Mr. Bejtlich says.
In February, Madory and other experts at Renesys observed a sequence of subtle but unusual events lasting up to several hours. The redirections of Internet data took place almost daily during the month, with victim networks changing daily.
In each case, governments, US financial institutions, and network service providers worldwide had their data quietly redirected, first to Moscow, then finally to the Belarusian ISP GlobalOneBel 鈥 and then sent onward to the intended destination.
鈥淲e saw it start off looking like a criminal operation, targeting the financial companies,鈥 Madory says. 鈥淭he next day we saw it targeting foreign governments, so we thought maybe it鈥檚 a nation state. Now it鈥檚 not clear whether this group was a government or a criminal operation.鈥
On one day in February, Madory says, traffic from many places around the world was redirected to Belarus. In one example, data sent from Guadalajara. Mexico, to Washington, D.C., would have traveled 6,535 miles through Moscow to Belarus 鈥 then on to its destination in Washington. That hijack took about 238 milliseconds 鈥 about a quarter of a second for the data to arrive at its proper locations 鈥 compared with about a tenth of a second if the data had not been diverted. Humanly imperceptible, Madory says.
It鈥檚 not clear whether the ISP operators in Belarus or Iceland were participants 鈥 or whether someone just hacked their network, he says. Other experts who haven鈥檛 seen the data are circumspect.
鈥淲hether this specific incident was intentional or not, cases like聽this do typically have a negative affect on the victim,鈥 writes Andree Toonk, founder and lead developer at BGPmon Network Solutions, another firm that tracks BGP attacks and hijacking, in an e-mail.
鈥淚t's also not hard to imagine what the possibilities are when trying to set up an attack like [this] with bad intentions.鈥