China Telecom diverting internet traffic to and through North America

It may seem that I am beating up on a certain country all the time, for unknown reasons of my own, but in fact I am just relaying the accelerating flurry of reports of official misbehavior by that country’s government and state-owned corporations. Now we learn that, allegedly, China Telecom – one of the big three state-owned telecom providers – has hacked North America’s internet infrastructure (PDF link):

China Telecom has ten strategically placed, Chinese controlled internet ‘points of presence’ (PoPs) across the internet backbone of North America. Vast rewards can be reaped from the hijacking, diverting, and then copying of information-rich traffic going into or crossing the United States and Canada – often unnoticed and then delivered with only small delays. […]

Over the past few years, researchers at BGProtect LTD based on the DIMES project [DIMES] at the Tel Aviv University built a route tracing system monitoring the BGP announcements and distinguishing patterns suggesting accidental or deliberate hijacking across many routes simultaneously and with a granularity down to the individual city. Using this technique, the two authors of this paper noticed unusual and systematic hijacking patterns associated with China Telecom. […]

Using these numerous PoPs, CT has already relatively seamlessly hijacked the domestic US and cross-US traffic and redirected it to China over days, weeks, and months as demonstrated in the examples below. The patterns of traffic revealed in traceroute research suggest repetitive IP hijack attacks committed by China Telecom. While one may argue such attacks can always be explained by ‘normal’ BGP behavior, these, in particular, suggest malicious intent, precisely because of their unusual transit characteristics – namely the lengthened routes and the abnormal durations. The following are a set of such unusual cases.

An article summarizes:

In 2016, China Telecom diverted traffic between Canada and Korean government networks to its PoP in Toronto. From there, traffic was forwarded to the China Telecom PoP on the US West Coast and sent to China, and finally delivered to Korea.

Normally, the traffic would take a shorter route, going between Canada, the US and directly to Korea. The traffic hijack lasted for six months, suggesting it was a deliberate attack, Demchak and Shavitt said.

Demchak and Shavitt detailed other traffic hijacks, including one that saw traffic from US locations to a large Anglo-American bank’s Milan headquarters being terminated in China, and never delivered to Italy, in 2016.

During 2017, traffic between Scandinavia and Japan, transiting the United States, was also captured by China Telecom, ditto data headed to a mail server operated by a large Thai financial company.

Interestingly, a 2015 Obama-Xi agreement aimed at stopping cyber IP theft by military forces appears to have been somewhat successful. But the agreement did not cover activities by Chinese corporations, and apparently nobody considered the security risks of allowing China Telecom to operate major internet nodes throughout North America. China does not allow US-based ISPs to control pieces of its internet infrastructure in China. Perhaps it’s time for the US and Canada to learn from China’s example.

China Telecom PoP North America

China Telecom’s presence in North America (Source)

Leave a Reply

Your email address will not be published. Required fields are marked *