By Jeff Ferry, CPA Research Director
Three Internet security experts have accused state-owned telecom giant China Telecom of diverting internal US Internet traffic through China.
The purpose, apparently, was corporate espionage.
According to Doug Madory, an expert on Internet traffic at Silicon Valley software maker Oracle, China Telecom’s network sent out false signals that diverted Internet traffic supposedly bound for the Verizon network onto the China Telecom network. The traffic passed through Hangzhou and other Chinese cities, and this went on undetected for an incredible 30 months, from late 2015 through 2017, according to Madory.
“China Telecom…has misdirected internet traffic (including out of the United States) in recent years. I know because I expended a great deal of effort to stop it in 2017,” Madory wrote in his Nov. 5th blog post on Oracle’s website, entitled “China Telecom’s Internet Traffic Misdirection.”
Two academics and Internet security experts, one at the US Naval War College and the other at Tel Aviv University, offered further evidence of China Telecom manipulating Internet traffic in an article published in October in the journal Military Cyber Affairs. This article, entitled China’s Maxim—Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking, and authored by Chris C. Demchak and Yuval Shavitt, cited three additional examples of Internet traffic “hijacked” by CT to pass through China. In these cases, Internet traffic terminating in the US, Canada, South Korea, Italy, Scandinavia, and Japan was targeted and rerouted to pass through China before reaching its intended destination.
Demchak and Shavitt suggested the Chinese government was behind CT’s hijacking operations, because only the government could direct such a large, complex scheme: “Vast rewards can be reaped from the hijacking, diverting, and then copying of information-rich traffic going into or crossing the United States and Canada—often unnoticed and then delivered with only small delays…This gives the malicious attacker access to the organization’s network, to stealing valuable data, adding malicious implants to seemingly normal traffic, or simply modifying or corrupting valuable data. If diverted and copied for even small amounts of time, even encrypted traffic can be broken, as shown in the well known, recent `DROWN’ and `Logjam’ attacks.”
Exploiting The Uncontrolled Internet…and American Naivete
China Telecom’s alleged tactics relied on the voluntary, cooperative nature of the Internet to use a technical maneuver known as Border Gateway Protocol, or BGP hijacking. The Internet is made up of a large number of independently owned, interconnected physical networks. Customers have no control nor even knowledge of which networks their traffic goes through. A corporation may have a contract with a telecom company like AT&T to manage all its Internet traffic. But AT&T partners with dozens of other telecom companies and carriers all hand off traffic to each other depending on which routes are least congested at any given moment. An email from New York to California might travel via Chicago and Omaha on another carrier’s network one minute, but via Kansas City and Las Vegas on a different carrier’s network the next minute.
The networking devices that establish and manage all these possible routes are called routers. The Internet’s routers are constantly “broadcasting” or communicating with each other about all the available routes in their network. According to the security experts, China Telecom’s routers were programmed to broadcast information showing that the shortest path between two points on the Verizon network was via routers in China in the China Telecom network. Figure 1 below is Madory’s representation of the effect of this hijacking, while Figure 2 shows the screenshot evidence of traffic from Los Angeles to Washington going through Hangzhou in China. When Madory discovered the hijacking, he notified telecom carriers including Telia and GTT, who then implemented filters to block the hijacked routes. There is no suggestion that Verizon knew anything about the hijacking. Verizon, of course, has thousands of corporate customers in the US, and thousands of non-Verizon corporate customers send traffic over parts of the Verizon network every day. Corporations send highly proprietary data across their networks in many forms every day, and any of these corporate customers might have been the victim of Chinese corporate espionage.
Figure 1: Graphic depiction of LA-Washington Internet traffic "hijacked" to pass through Chinese network. Source: Oracle.
All three Internet experts, and others too, have suggested introducing new software protocols that would enable routers to validate and confirm that the routes broadcast by other routers are genuinely the shortest routes, and that the routers are who they say they are. However, Internet bureaucracy moves slowly and it’s not clear if any of the players has a strong financial incentive to modify the BGP protocol, which has been criticized for years but remains the dominant Internet protocol.
Figure 2: Traceroute record from December 2017 shows US Internet traffic transiting China and Hong Kong. Source: Oracle.
Another feature of the “Wild West” Internet that makes it easy for hijackers is that Chinese telecom companies have eight “points of presence” (PoP) in the US. These are the giant switching stations where multiple telecom carriers all have networking gear and exchange traffic. The United States, with its free enterprise, internationalist tradition, allows pretty much any telecom company to rent space in a PoP. China Telecom’s PoPs are in all the busiest Internet switching centers in the US, including New York, Ashburn, VA, and San Jose, making it easy for them to gain access to US traffic. The two researchers writing in Military Cyber Affairs point out that the US has no PoPs within China. They call for “Access Reciprocity,” i.e. the US should revoke the right of China’s telecom companies to maintain PoPs here unless US carriers are given the right to run PoPs within China.
The Internet’s Circulatory System
Most people are aware of the dangers of cyber-theft and cyber-snooping in their smartphone or their laptop. But the underground (and undersea) telecom networks, the “circulatory system” of the world’s Internet, present even greater opportunities for a dedicated cyber-spy, especially one hunting for corporate secrets, because the end-user has no control over this huge, complex network. China has three large telecom companies and all of them work closely with the Chinese government, creating opportunities for Chinese security to leverage those relationships.
In addition, China has two hardware companies, Huawei and ZTE, that sell routers and other networking devices to telecom companies. These routers offer another set of opportunities for Chinese cyber-spies to insert bugs inside Western networks. While their activities are restricted in the US, Huawei and ZTE do billions of dollars of business elsewhere in the world. Huawei’s customer list includes the dominant telecom carrier in the UK, France, Germany, and Spain, as well as Vodafone, the world’s largest wireless carrier.
This week, the UK government’s National Cyber Security Centre sent a letter to British telecom companies warning them to take action to ensure that their next-generation wireless networks be “resilient and secure,” according to a Financial Times article. The letter was taken by industry sources as a warning not to rely solely on Huawei for so-called 5G wireless networks, suggesting that Britain may be regretting decisions in recent years to give Huawei a huge footprint in the British telecom network. Both British Telecom and British wireless network Three have announced plans to test 5G network equipment from Huawei. Huawei, a $90 billion privately-owned company, has close links with the Chinese military.
Figure 3: Prof. Yuval Shavitt at a 2015 talk on Internet espionage: "The minute I have access to a group of routers at the periphery of an Internet Service Provider, I'm in a position to change entries in its forwarding tables."