Oracle Confirms Research: China Telecom Misdirected U.S. Internet traffic thru China

China Telecom is the largest fixed line operator in China, state owned, and bidding to become the third telecommunications network operator in the Philippines.  Two weeks ago, researchers found that the company has been hacking into internet networks in the United States and hijacking data from countless users, a study has found.

The research, conducted jointly by scholars from the US Naval War College and Tel Aviv University, discovered that the China government, acting through China Telecom, has been engaged in data hacking even though it had entered into a pact with the U.S. in 2015 to stop cyber operations aimed at intellectual property theft.

Oracle’s Internet Intelligence division has just confirmed the findings of the academic paper published two weeks ago that accused China of “hijacking the vital internet backbone of western countries.”

Doug Madory, Director of Oracle’s Internet Analysis division (formerly Dyn), confirmed that China Telecom has, indeed, engaged in internet traffic “misdirection.” “I don’t intend to address the paper’s claims around the motivations of these actions,” said Madori. “However, there is truth to the assertion that China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years.  I know because I expended a great deal of effort to stop it in 2017,” Madori said.

china-telekom-bgp-hijack.png

Image Courtesy of Oracle

……………………………………………………………………………………………………………….

Madori then goes on to detail several of China Telecom’s BGP (Border Gateway Protocol) route “misdirections,” most of which have involved hijacking US-to-US traffic and sending it via mainland China before returning it to the U.S.

Verizon APAC errors had a knock-on effect, Madori explained: “Verizon APAC … were announcing [routes] to the internet on behalf of their customers. A couple of AS hops away, China Telecom was mishandling them – announcing them in a manner that would cause internet traffic destined for those IP address ranges to flow back through China Telecom’s network.”

………………………………………………………………………………………………………………………………..

Indeed, the researchers found that China Telecom uses BGPs in order to carry out their data intrusions.  Created in the early 1980s, BGP protocols do not feature any security controls, often resulting in misdirected traffic through “bad BGPs”. The majority of these cases are attributed to configuration mistakes.

However, researchers found that China Telecom has been deliberately hijacking BGP routes to send legitimate traffic through malicious servers.

They described the state-owned telco as “one of the most determined BGP hijackers in the international community.”

In order to validate their findings, the researchers built a route tracing system to monitor BGP announcements, allowing them to distinguish between normal, accidental patterns and deliberate ones.

They concluded that China Telecom was responsible for patterns of BGP behavior that “suggest malicious intent, precisely because of their unusual transit characteristics -namely the lengthened routes and the abnormal durations.”

“[China Telecom] has already relatively seamlessly hijacked the domestic US and cross-US traffic and redirected it to China over days, weeks, and months,” the researchers said.

“The prevalence of and demonstrated ease with which one can simply redirect and copy data by controlling key transit nodes buried in a nation’s infrastructure requires an urgent policy response,” they warned.

………………………………………………………………………………………………………………………………………….

The routing snafu involving domestic US Internet traffic coincided with a larger misdirection that started in late 2015 and lasted for about two and a half years, Oracle’s Madory said in a blog post published Monday. The misdirection was the result of AS4134, the autonomous system belonging to China Telecom, incorrectly handling the routing announcements of AS703, Verizon’s Asia-Pacific AS. The mishandled routing announcements caused several international carriers—including Telia’s AS1299, Tata’s AS6453, GTT’s AS3257, and Vodafone’s AS1273—to send data destined for Verizon Asia-Pacific through China Telecom, rather than using the normal multinational telecoms.

………………………………………………………………………………………………………………………………………….

Ahead of the third telco player’s selection Wednesday (November 7), Senators Grace Poe and Francis Escudero already voiced concerns about the possible threats to national security and data privacy in case China Telecom becomes the winner of the bidding.

………………………………………………………………………………………………………………………………………….

References:

http://bilyonaryo.com.ph/2018/11/06/think-tank-unmasks-how-china-telecom-is-hacking-us-networks-hijacking-users/

https://internetintel.oracle.com/blog-single.html?id=China+Telecom%27s+Internet+Traffic+Misdirection

https://www.zdnet.com/article/oracle-confirms-china-telecom-internet-traffic-misdirections/

https://arstechnica.com/information-technology/2018/11/strange-snafu-misroutes-domestic-us-internet-traffic-through-china-telecom/

https://www.theregister.co.uk/2018/11/06/oracles_netwatchers_agree_china_telecom_is_a_repeat_bgp_offender/

3 thoughts on “Oracle Confirms Research: China Telecom Misdirected U.S. Internet traffic thru China

  1. China Telecom and Duterte ally set to win Philippine telecom license

    An alliance between China Telecom and Davao-based tycoon Dennis Uy is poised to clinch the third major telecom license in the Philippines after it emerged as the lone qualified bidder at an auction on Wednesday.

    Mislatel Consortium — comprising Uy’s Udenna and Chelsea Logistics Holdings, Mindanao Islamic Telephone and China Telecom — has been declared the “provisional” new player, said Selection Committee Chair Ella Blanca Lopez. Uy has close ties to President Rodrigo Duterte and donated to his election campaign.

    Two other bidders — a consortium led by Tier One Communications and LCS Group as well as Philippine Telegraph and Telephone — were disqualified after submitting incomplete documents. Both parties will appeal their disqualification and if successful, their bids will be reopened, said Eliseo Rio, officer in charge at the Department of Information and Communications Technology.

    https://asia.nikkei.com/Business/Telecommunication/China-Telecom-and-Duterte-ally-set-to-win-Philippine-telecom-license

  2. China Telecom Constantly Misdirects Internet Traffic

    Over the past years, China Telecom has been constantly misdirecting Internet traffic through China, researchers say.

    The telecommunication company, one of the largest in China, has had a presence in North American networks for nearly two decades, and currently has 10 points-of-presence (PoPs) in the region (eight in the United States and two in Canada), spanning major exchange points.

    Courtesy of this presence, the company was able to hijack traffic through China several times in the past, Chris C. Demchak and Yuval Shavitt revealed in a recent paper (PDF). China Telecom’s PoPs in North America made the rerouting not only possible, but also unnoticeable for a long time, the researchers say.

    Back in 2010, China Telecom hijacked 15% of the world’s Internet prefixes, which resulted in popular websites being rerouted through China for around 18 minutes. The incident impacted US government (‘‘.gov’’) and military (‘‘.mil’’) sites as well, the commission assigned to investigate the incident revealed (PDF).

    For the past several years, the Internet service provider (ISP) has been engaging in various forms of traffic hijacking, in some cases for days, weeks, and months, Demchak and Shavitt claim.

    “The patterns of traffic revealed in traceroute research suggest repetitive IP hijack attacks committed by China Telecom. While one may argue such attacks can always be explained by ‘normal’ BGP behavior, these in particular suggest malicious intent, precisely because of their unusual transit characteristics –namely the lengthened routes and the abnormal durations,” the researchers note.

    https://www.securityweek.com/china-telecom-constantly-misdirects-internet-traffic

  3. How China diverts, then spies on Australia’s internet traffic

    Internet traffic heading to Australia was diverted via mainland China over a six-day period last year, in what some experts believe may have enabled a targeted data theft.

    The targeting of data bound for Australia comes amid revelations China’s peak security agency has overseen a surge in cyber attacks on Australian companies over the past year, breaching a bilateral agreement to not steal each other’s commercial secrets.

    Home Affairs Minister Peter Dutton expressed concern about the increased number and severity of cyber attacks and said they were imposing a multibillion-dollar cost on the Australian economy.

    “It is unacceptable behaviour by any state actor or non-state actor for that matter to attempt to exploit government IT systems or businesses,” he told the Nine Network.

    The data diversions will only add to concerns around Beijing’s behaviour, with Professor Shavitt saying they happened between the 7th and 13th of June last year and resulted in a small portion of the total internet traffic coming into Australia taking up to six times longer to arrive as it went via China.

    Tel Aviv University Professor Yuval Shavitt believes the target of the attack was a UK cyber-security company with offices in Australia. He suggested the suspected hacking operation was aimed at accessing sensitive data held by the firm.

Comments are closed.