IP Hijacking [ML BSide]

In 2016, for six straight months, communications between Canadian and Korean government networks were hijacked by China Telecom and routed through China. In 2017, traffic from Sweden and Norway to a large American news organization in Japan was hijacked - also to China - for about 6 weeks.
What is IP Hijacking (a.k.a. BGP Hijacking), and what are its security implications? Nate Nelson talks to Dr. Yuval Shavitt, from Tel Aviv University‘s Cyber Research Center.

Hosted By

Ran Levi

Host, Exec. Editor at PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 15 million downloads as of Oct. 2021.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Dr. Yuval Shavitt

Researcher, CTO @ BGProtect

Dr. Yuval Shavitt is a Professor of Electrical Engineering at Tel Aviv University and a member of its Blavatnik Interdisciplinary Cyber Research Center. He is also the CTO and original founder of BGProtect LTD.

Episode Transcript:

Transcription edited by Kai Pelzel

[Ran] Hi and welcome to Cybereason’s Malicious Life B-Sides, I’m Ran Levy.
In 2015, the US and China signed an agreement that stated that both countries would stop their military forces from hacking and stealing information from each other. Three years later, in 2018, a paper published by two researchers, Dr. Chris Demchak from the Center of Cyber Conflict Studies at the US Naval War College and Dr. Yuval Shavit from Tel Aviv University’s Cyber Research Center, exposed what seems to be China’s new modus operandi following the 2015 agreement, a technique known as BGP hijacking or IP hijacking.
In a nutshell, BGP hijacking is when a malicious actor takes over a group of IP addresses that belongs to someone else and forces the rerouting of all or most internet traffic to these addresses. To steal an analogy from Cloudflare’s explainer page on BGP hijacking, it’s like if someone were to change all the signs on a stretch of freeway and reroute road traffic onto incorrect exits.
In the paper, Shavit and Demchak identify several such attacks by China in the past several years. In 2016, for six straight months, communications between Canadian and Korean government networks were hijacked by China Telecom and routed through China. In 2017, traffic from Sweden and Norway to a large American news organization in Japan was hijacked to China for about six weeks. Russia might be doing the same. In 2017, traffic for Google, Apple, Facebook, Microsoft and several other high-profile organizations was hijacked to Russia for two short periods of three minutes each.
What are the implications of BGP or IP hijacking? Well, according to Demchak and Yuval’s paper, this technique offers the attackers broad access to an organization’s network, allowing them to steal valuable data, add malicious implants to seemingly normal traffic, neutralize the organization’s firewall, and much more.
I found IP hijacking to be an interesting topic not only because of its implications, but because it also brings forth an aspect of our internet technology that we rarely think about. Geography. Yes, geography. We tend to think of internet traffic as disconnected from the physical space we occupy, that cyberspace somehow eliminates the distances between geographical points.
But as IP hijacking shows, and as you’ll shortly learn, it turns out that geography still matters, even when it comes to the internet. The internet consists of many thousands of connected networks which exchange data packets between them. Each such network is called an autonomous system, or AS for short. When a data packet travels through a network, it passes through routers who need to decide where to send that packet so that it reaches its destination. For that purpose, the routers hold special forwarding tables which tell the routers what neighboring AS is closest to the destination address, so that the router can then forward the packet to that neighboring AS.
As an analogy, imagine that I wish to send a letter to a friend living in, say, Gary, Indiana. I don’t know why anyone would choose to live in Gary, Indiana, a city voted the most miserable city in America in 2019. But hey, somebody has to live there, I guess, so I want to send a letter to cheer him up, the poor bastard. Now since I’m an Israeli, I don’t have a clue where exactly is Gary, Indiana, so I give the letter to Nate who’s from New York. Nate too doesn’t know where Gary is, but since Nate is in North America, he is naturally closer to Gary than I am. He’ll probably give the letter to someone who lives in Indiana, and that person being closest to Gary will probably know where Gary is. I mean, somebody has to know where exactly is Gary, Indiana. I hope.
Forwarding tables work much the same way. They instruct routers about where to send data packets so that they’ll get closer and closer to their destinations. Now the contents of these forwarding tables are determined by a key internet routing protocol known as Border Gateway Protocol, or BGP for short.
Now we can finally understand what BGP hijacking is. When an AS announces via the BGP protocol that it owns a block of IP addresses that it doesn’t really own, it causes these forwarding tables to be updated so that internet traffic from neighboring ASs is routed to that AS_ instead of being routed to its real destination. These misleading announcements can occur by mistake due to an operator error, but they can also be created maliciously and on purpose.
Let’s listen to Nate Nelson, our senior producer, talking to Dr. Yuval Shavit, one of the paper’s authors about BGP hijacking. Enjoy the interview.

[Nate] Yuval, could you start off by briefly introducing yourself?

[Yuval] Hi, I’m a professor at Tel Aviv University. I’ve been there for over 20 years. I’m also the CTO of BGProtect, which is a company that is detecting and helping in mitigating IP hijack attacks.

[Nate] The hardest part of the interview is going to be the first part. Could you describe for less technical listeners how the internet transports data packets in as simple terms as possible, really just what’s necessary to understand the kind of hijacking that we’re going to be getting into later in this interview?

[Yuval] Ok, when we want to get data from one point to the other, we need to find a route. What are the different devices called routers along the way that will carry this data? The way it is done in the internet is that IP addresses are allocated by blocks of IP addresses. A block can be as small as a few hundreds of IP addresses, up to millions. And each owner of such a block tells its neighbors about this ownership.
So if I’m a network and each network has a number, so if I’m network number one, I’m telling my neighbors, network number two, three, and four, look, I have this block of IP addresses. If you want to reach them, you can simply send me your data. What these neighbors would do next is they would announce this to their neighbors. And the way it is done in the internet with a protocol called BGP is that they would tell them not only of the fact that they have a way to get to this block of IP addresses, they also tell them the route. So they would tell them, oh, I’m network number two, my neighbor number one has this block of addresses. So if you want to send your data to this block of IP addresses, you can send it through me and I will send it to number one. And then this continues on and on.
So at the end, each network has a collection of suggestions from its neighbors. Each neighbor tells them about a certain path, and the path has all the networks along the way through which you can get to the destination. And we do this for every possible destination in the internet. In the current internet, there are roughly 750,000 to 800,000 such blocks.

[Nate] I see. And because it’s going to be so important to understand the hijacking, could you describe what it means to, you touched on it there, create the shortest route in between two points, why that’s important to how the internet functions and how that relates to BGP?

[Yuval] Shortest route is important, but it’s not the only factor when selecting a route from point A to point B. The internet at the end is also an economic system. And networks or what we call the ISPs, the internet service providers, have preference on who they’re going to use in order to get to a certain destination.
So I might have two of my neighbors presenting me with routes to your network. One is maybe slightly shorter than the other, but the other one is cheaper for me. So although in general in networking, we tend to optimize and do shortest, largest, whatever, in this case, I might actually select a slightly longer route because it costs me less because of the agreement I have with my neighboring providers to get to the destination.
However, when economics is the same, then shortest path will win. So in many, many cases, and people have studied this, but in general, routes tend to be almost shortest.

[Nate] Okay. So now that we have some basis for that, by the way, is there any other important information necessary for people to understand the kind of hijacking that we’re about to talk about? I want to make sure we get it all out there, or do we think that’s sufficient?
So I don’t know if this is too early, but we have to remember that BGP, the internet routing protocol, was designed several decades ago in a time that people were not suspecting that people may actually use this network for malicious acts. So there was no real intrinsic security embedded in the protocol. It is based on belief.
So if I’m telling you, I’m the owner of this block of IP addresses, you would just have to believe me that I’m not lying or that I haven’t made a mistake. And even in the early days of the internet, mistakes did happen, but they were quite rare.
Of course, nowadays things are different. I mean, the internet has become very important for our life, both economical life and social life. And lots of people try to make advantage of BGP in order to obtain data.

[Nate] And for comparison’s sake, what did a mistake, as you say, look like in the early internet? How do you get a mistake?

[Yuval] So mistake could be of two kinds. One type of mistake is that I tell you by mistake that I own a block of IP addresses that I don’t actually own. So maybe you’re in the US, own a block of IPs, and I’m in Israel, would tell everybody, all my neighbors, oh, this block of IPs belongs to me. As a result, they would start, because I’m their neighbor, they would start sending data to me instead of to you. And they continue to propagate this information to their neighbors, and then a portion of the internet would actually think that I’m the owner of this block, and other portion of the internet would actually believe you that you’re the owner. And the winner will be according to the BGP rules, the economical rules and the shortest pass rules.

[Nate] Okay. So before we get into the hijacking, give me some background on China Telecom. Who are they?

[Yuval] So China Telecom is one of the three large Chinese telecom companies. The other two are China Unicom and China Mobile International. And all these networks started about 20, slightly over 20 years ago, got the go ahead from the Chinese government to go out of China. So they control the Chinese market for telecommunication.
And in the last two decades, they start branching out to the rest of the world, building a global network that would allow them to have a global footprint in the telecommunication market. If you think about China Telecom, for example, they have point of presence or POPs in short in North America, in Asia, in Europe, both West and East, and also in Africa.

[Nate] And I know this is a tough question to answer, but what kind of relationship does the companies like it have with the Chinese Communist Party, with the government?

[Yuval] They’re very tight. If you look at the U.S. Senate Committee report from June 2020, I think they don’t even go short of saying that they are owned by the government. I don’t remember the exact wording, but the general belief is that these companies are closely controlled by the Chinese government.

[AD] Malicious Life is sponsored by Cybereason. There is nothing better than a live simulation, especially when you’re fighting cyber attacks that are becoming more and more complex. Defenders are always looking for the critical edge to reverse the attacker’s advantage, and it’s only through live attack simulations that you can truly see what might provide you that winning edge.
Join Cybereason’s global attack simulations to watch firsthand how attackers use the latest infiltration methods and execute on sophisticated malicious operations, and more importantly, how to end these operations before they happen.
Reserve your spot today at cybereason.com/attacksim.

[Nate] So you mentioned briefly that they have points of presence in many different continents. Could you describe in a bit more detail the scale of the company and also exactly what kind of infrastructure we’re talking about that they have outside of Asia, particularly in North America?

[Yuval] So right now, China Telecom has quite a large network. It’s not as large as the tier-one providers that currently exist, networks like AT&T or Atelier or Tata, which are significantly larger than China Telecom.
But nevertheless, if you look at the North American map, you see that China Telecom has 10 POPs, two in Canada and eight in the US. And this is certainly a fairly large coverage of the North American continent by a foreign provider, which is not a tier one provider.

[Nate] And I’m not sure that we’ve defined what do we mean by point of presence?
So basically, point of presence is a place where you keep your networking equipment, your routers, and from there, you give service to a certain area. There are different philosophies how to build this. Some company would like to have a lot of small scale POPs that would cover a small region. Other would like to have less POPs, but each POP is giving service to a larger area.
But in general, if your equipment is just spread all over the place, it’s very hard to maintain it and to give it service. So you tend to concentrate your equipment in one or two buildings. And from there, you give service through fiber optics cables to an area that could be as large as Utah or as small as Manhattan.

[Nate] And for the sake of context here, do American or European corporations have similar presences in China? And if not, why not?

[Yuval] No, I don’t think that there’s any non-Chinese company that can have presence in China. Recently, we have seen cases where a Chinese provider would go into agreement with a non-Chinese provider to spend their service in China.
So for example, if Amazon want to have a service in Shanghai, they would go to a Chinese provider. And this provider would work on behalf of Amazon, but Amazon would not actually operate in China. They would have their cloud there, but it will be run by Chinese companies.
So no, non-chinese companies would not be allowed to operate in China.

[Nate] So last question before we get into the actual hijacking. Why do you think Western countries allow China this kind of foothold where China doesn’t allow Western companies to do the same thing to them? It kind of seems like China is the smarter one out of the two.

[Yuval] Yeah, it’s very hard to tell because if you look at the US market, if you want to be a telephone operator, I don’t think it’s even allowed if you’re not an American. So you cannot have telephone exchange in the US if you’re not American. But with the internet, why not?
So I guess that initially when the internet started, it was not seen as a very serious stuff, unlike telephony. This was universities, exchange of data, it didn’t seem like such a big deal. And it took time until people start realizing how important it is and it was too late because at that time, there was already significant Chinese presence in North America.
But it does seem that in the recent years, and I talked to people in the US administration, and previous administration, they do realize that the situation as it is now cannot continue and there should be some change.

[Nate] Okay, so let’s finally get into it. What is a BGP hijack and how can China Telecom pull it off?

[Yuval] Well, there are several ways to do a BGP hijack.
The easiest one is simply claim that you own a block of IPs that you don’t own. So again, if I’ll continue talking about your IP addresses, so I can claim that I own your IP addresses and if I do it in the right way and if you’re announcing your IP addresses in a way that allow it to me, I can actually get all internet traffic to you to get to my network.
For example, if you announce a large block and I announce a part of this block, the rule in internet routing is small always win over big. So because more specific is always better than less specific. So if you announce a block of say a thousand IP addresses and I announce a block of 500 IP addresses, all the traffic globally to this half of the block would get to me.
And then what I will do, I can do two things. I can impersonate to you. So I can use this block, for example, to launch a large spam campaign because I cannot do it from my own IPs because they’re already blacklisted. So I can use your white listed IP addresses or I can take all the traffic that comes to me and send it to you, the original destination through a different pipe. And by this, I’m actually making a man-in-the-middle attack. So now all the traffic that goes to you goes through my network. I can manipulate it. I can stop some of it. If it is encrypted, I can run decryption based algorithm in order to be able to get the session key. I could do a downgrade attack. So it’s really easier for me to get the encryption decrypted, et cetera.

[Nate] All that sounds a bit technical. So can we expand on what this really means in a larger sense? So what all of these little movements and little errors can amount to?

[Yuval] To put it simple, at the end, a BGP, a hijack attack, put me in the middle of communication between you and the rest of the world. So if all your communication or if portions of your communication is going through my network, it opens for me the door to manipulate your data, to put espionage campaigns against you, and to try and insert Trojans or other malicious software to your network.
And even if I cannot decrypt, just looking at the pattern of communication going to your network teach me a lot about what is happening in your facility.

[Nate] So you mentioned a few things that theoretically China Telecom could do with this. Give me a worst case scenario here, the most destructive consequence that could theoretically be wrought by a BGP hijack that we might worry about should China, say, declare cyber war.

[Yuval] It’s very hard to pick up what is the worst because there are lots of bad things that can happen. But let’s think about two or three scenarios.
Scenario number one, I’m hijacking traffic to a nuclear plant, and through a downgrade attack, I can insert a Trojan to a communication channel that was established by somebody from within. So it could be somebody that is going to read the New York Times. And I’m looking at the traffic going from the New York Times to you. I did a downgrade attack, so now it’s easier for me to break the encryption. So I can insert the Trojan to this traffic, and nobody would suspect anything because this is traffic that was actually initiated by somebody from the within. And now I’m inside your network. So this is scenario number one. And once I’m inside your network, I can do anything. I can go and look for information, et cetera.
And scenario number two is just disrupt the communication. If I’m hijacking the communication between two important points in your operations, when time comes and you need to react and you rely on the network, you would not have communication because I will just throw all the packets to the floor.

[Nate] So what evidence do we have that China Telecom has actually carried out these hijacks, maybe in not as dire scenarios as we just described? But can you describe, as you did in your paper, some of the specific evidence we have?

[Yuval] So here we’re in treacherous ground because we know for a fact that errors do happen. So whenever we see a traffic deflection, it may be due to some benign error. Somebody was doing something wrong, and we see errors done by anybody.
However, if you look at the number of such deflections where China Telecom is involved with, it is too high to be explained by errors.
I mean, unless we think that Chinese engineers are completely incapable of running a network, and I don’t think this is true, it should be that some of this is actually due to malicious intent.
So in the paper we describe four cases, I cannot tell you for each individual one if this is indeed a malicious act or maybe by some coincidence, this was an error. And I guess nobody can. But we just need to look at the number of events, and I see lots of events, and understand that a good portion of them is due to malicious intent.
To really know which one or which, I need to be at the head of the engineer that was operating that time, the network.

[Nate] Could you maybe describe one of them in detail to give people a sense of exactly what this looks like?

[Yuval] So for example, you see traffic leaving Canada, and the point we measure it from was actually around Ottawa, which is close to where the Canadian government sits. And it is destined to a Korean government network. And it is doing this by going through an American provider, and from the US there’s a submarine cable going to Korea.
During the attack, what happened is that traffic is hijacked by China Telecom. So we see that the packets reach China Telecom POP in North America. So the hijack actually start in North America using China Telecom equipment there, or point of presence. And from there it is going to China, and from there to Korea.

[Nate] Do we have any evidence of any other major telecommunications companies outside of China doing BGP hijacking in the way that we have some evidence that China Telecom does it?

[Yuval] Yes. We see lots of IP hijack attacks around the world by large and small companies. We see these done by Russian companies. We saw a small Icelandic company doing this a while ago. Recently there was a hijack by a company in Bangladesh.
Many companies are doing this kind of operation. And again, any one hijack incident can be a mistake. If we see a company that again and again is involved in something like this, then the mistake scenario is becoming less and less plausible.

[Nate] So what are the reasons why a country like Iceland or Bangladesh would do this? And is it unfair for us to focus on China?
Or is the reason you focus on China because they do it more? How do we make context of this worldwide phenomenon?

[Yuval] So a company may do this, like this small Icelandic company, there was a report issued that probably a large criminal organization were somehow paying them money or forcing them by other means to collaborate for monetary purposes.
So this was not a government run activity hijack. By hijacking traffic, you can of course make lots of money if you hijack banks or other financial organizations. And we do see such activities around the world.

[Nate] How is it possible to, how do you go about detecting this kind of thing or at least trying to detect intent as opposed to error? I know it’s tough.
I suppose the larger question is, in the future, should these hijacks continue? How do we in the cybersecurity community start to point them out?

[Yuval] Okay, so to detect an attack really depends how it is done.
So if somebody is announcing a blog of IP addresses that it does not own, this is quite easy to detect because we have a list of ownership for blocks. So we can immediately see that the owner is not the real owner. And recently there was a protocol called RPKI that enabled us to run a cryptographically signed database of ownership. So if I own a block, I can sign my ownership of this block and then you can easily verify that I am the one who is allowed or who are the ones that are allowed to announce my block.
So detecting this type of hijack is actually quite easy. The problem comes when instead of announcing that you are the owner of the blog, you place yourself in the middle of the route as if the route to this blog goes through you. So if I want to hijack your block, I wouldn’t claim I own it. I would say, oh yeah, he’s owning the block, but if you want to get to him, I’m his neighbor. So now a large portion of the internet would see me as a preferred route because I’m only one hop away from you, so going through me is quite good. It’s a short route.
And detecting this type of hijack at the x is much harder because now we have to look at the entire route and ask ourselves, does this route is legitimate? And in some cases, it is not that hard to see it is not legitimate.
So for example, if there’s communication between two networks in the United States and suddenly in the middle of the route, I see a company from China or Indonesia or Kenya I would say, oh, this is highly implausible that North American communication would go through those locations, through companies that are from those locations. So I would be able to flag this as a suspicious route.
But if traffic is international, if you look at the route from, say, Japan and the US, now on the geographical or geopolitical scale, who are the plausible countries or operators that can be as a middle network in the communication becoming much, much larger? And this makes things harder to detect.
What we do at BGProtect, for example, is that we look at various aspects of the route because we realize that just one aspect may not be enough.
So for example, we do an economical analysis of the route and ask ourselves, can any intermediate network along the route would actually make money out of this route? Because we can model the internet economics and see who is paying whom. And if there is a small, for example, the easiest example is if there’s a small provider in the middle of the route and it is surrounded by two large providers.
This is a highly implausible scenario because this small provider is actually paying those large provider for transit. And it doesn’t make sense that he’s going to do them favor and transit traffic between them.
So he’s losing money by participating in the route. So the question is, why is he in this route? So it could be, again, due to a mistake, but it could be due to a hijack attack.

[Nate] Is it possible that if, say, China wanted to extend their influence and do better at hiding hijacks, that they could create more points of presence around the world?
Is there any way to stop this sort of from becoming more and more difficult to detect? In what ways can we talk about this sort of underbelly of, is basically, are countries aware of this and acting on it?
Or is it something that is still sort of niche to China telecom? Does that make sense? Like the sort of war underneath the war?

[Yuval] So yeah, the more China telecom is going to expand globally, it will be harder to detect their hijacks because many routes will suddenly become reasonable with China telecom.
It is actually more important for them not just to spread geographically, but to be able to place themselves as a legitimate or as a preferred provider for local networks. So right now, if you look at China telecom expansion, so yes, they build a large infrastructure around the world.
But at the end, they are not providing transit services to many networks that are not from China. Well, they do so to a larger extent now in Africa and in Brazil. So in those two locations, detecting hijacks from China telecom become almost impossible because they became an important player in the telecommunication market.
So their presence in the route that ends in either Brazil or South Africa and some other African nations as well, like Kenya, is now can be explained by the fact that they’re just a legitimate provider there. So if they will manage to do this also in West Europe and in North America, suddenly detecting hijack attacks by China would be much, much harder.
You will need to actually look at the geography of the route and see do they route their information say between two of their customers in the US through China. And then they can always claim that this is some kind of a mistake within their internal operation.
So yes, as they’re going to expand, it’s going to be harder and harder to detect their hijack attacks. And the same happening in Africa and in Africa, China Telecom is certainly China telecom and China Mobile are actually gaining momentum, they’re building more pops and becoming a larger and larger player.