China Internet Hijacking May Have Been Smokescreen for Targeted Attack: UPDATED
The hijacking of more than 15 percent of Internet traffic by state-owned China Telecom in April may have been intended to conceal one targeted attack, said the U.S.-China Economic and Security Review Commission in a report released Nov. 17.
For 18 minutes in April, China’s state-controlled telecommunications company hijacked 15 percent of the world’s Internet traffic, including data from U.S. military, civilian organizations and those of other U.S. allies.
The incident affected traffic to and from U.S. government and military sites, including the Senate, Army, Navy, Marine Corps, Air Force, the office of the Secretary of Defense, NASA, the Department of Commerce, the National Oceanic and Atmospheric Administration, “and many others,” the report said.
The commission delivers a yearly report, mandated by Congress, on the bilateral security and trade relationship between the United States and China.
“Although the commission has no way to determine what, if anything, Chinese telecommunications firms did to the hijacked data, the incidents of this nature could have a number of serious implications,” the report said.
Security experts at McAfee, the world’s largest dedicated Internet security firm, told National Defense that data could be manipulated, intercepted if not encrypted, or stored for analysis at a later date.
As far as encrypted data, the “result of the diffusion of Internet security certification authorities, control over diverted data could possibly allow a telecommunications firm to compromise the integrity of supposedly secure encrypted sessions,” the report said.
The report, quoting Danny McPherson, chief security officer at Arbor Networks, an Internet security firm, said the data could be diverted to a computer where a user didn’t intend to go, for example, a “spoofed site” that could be used to trick him or her into downloading data. The massive diversion of traffic could have “been intended to conceal one targeted attack,” the report said.
China Telecom has said that the rerouting of traffic was accidental.
“Evidence related to this incident does not clearly indicate whether it was perpetrated intentionally and, if so, to what ends,” the commission report noted. Dmitri Alperovitch, vice president of threat research at McAfee, said the fact that the list of hijacked traffic included preselected destinations that encompassed .mil and .gov sites, was curious. “Why would you keep that list?” Alperovitch asked.
The redirection of data happened because the major telecommunications firms employ a trust-based system to ensure that traffic moves efficiently around the Web. On April 8, automatic systems “advertised” erroneous traffic network route instructions to the rest of the Internet that claimed that its servers were the best way for the data to reach its destination. Traffic that may have been destined to travel within the United States, and even a few short miles, was sent to China, and then sent back out. Most users probably never noticed the delay, Alperovitch said. That China was able to handle all that additional traffic “without breaking a sweat” surprised security experts, Alperovitch added.
CLARIFICATION: Alperovitch in a McAfee blog has clarified that 15 percent of the world's routes were directed to China, not 15 percent of the traffic. In an earlier interview he stated: “In terms of the overall traffic they took, it’s very hard to estimate, but it was a lot more than 15 percent of the world’s traffic [that] their pipes were able to handle without crashing.”