Russia and China’s ‘attack on Google’: Virtual wargame ‘experiment’ hits search giant

Google has been hit by the ‘worst ever’ internet hijack in the company’s history, security experts fear.

Information from Google searches, cloud-hosting services and the company’s bundle of collaboration tools for businesses – known as G Suite – were all affected. 

Data was intercepted by servers in Nigeria, China and Russia – including those run by major state-owned telecoms providers.

Security experts suggested the hack was a ‘wargame experiment’ – meaning it may prelude similar, more widescale attacks from the nations involved in future.

The type of traffic misdirection employed, known as border gateway protocol (BGP) hijacking, can knock essential services offline and facilitate espionage and financial theft.

It can result either from misconfiguration – human error, essentially – or from malicious action.

In two recent cases, such rerouting has affected financial sites.

In April 2017, one affected MasterCard and Visa among other sites. This past April, another hijacking enabled cryptocurrency theft.

Google is downplaying the incident, saying it does not believe it was malicious.

The firm has yet to confirm the exact nature of the data affected, as well as how many users have been put at risk, with millions potentially in the firing line.

Google service interruptions lasted for nearly one and a half hours and ended about 10:30pm GMT (5:30pm EST), network service companies said.

Scroll down for video 

Google has been hit by an attack that the re-routed the firm's global internet traffic through servers located in Russia, China and Nigeria. Security experts have spoken out about the data diversion, which they believe was part of a 'wargame experiment' (stock image)

Google has been hit by an attack that the re-routed the firm's global internet traffic through servers located in Russia, China and Nigeria. Security experts have spoken out about the data diversion, which they believe was part of a 'wargame experiment' (stock image)

Google has been hit by an attack that the re-routed the firm’s global internet traffic through servers located in Russia, China and Nigeria. Security experts have spoken out about the data diversion, which they believe was part of a ‘wargame experiment’ (stock image)

Network intelligence company ThousandEyes uncovered the hijack.

Alex Henthorn-Iwane, an executive at ThousandEyes, called Monday’s incident the worst affecting Google that his San Francisco company has seen.

He said he suspected nation-state involvement because the traffic was effectively landing at state-run China Telecom.

A recent study by U.S. Naval War College and Tel Aviv University scholars found that China systematically hijacks and diverts U.S. internet traffic.

ThousandEyes named the companies involved in Monday’s incident, in addition to China Telecom, as the Russian internet provider Transtelecom and the Nigerian ISP MainOne.   

The diversion ‘at a minimum caused a massive denial of service to G Suite and Google Search’ and ‘put valuable Google traffic in the hands of ISPs in countries with a long history of Internet surveillance,’ ThousandEyes said in a blog post. 

Google is downplaying the incident, described by one expert as the 'worst ever' in the firm's history, saying it does not believe it was malicious. A Google status page noted that 'access to some Google services was impacted' and said the cause was 'external to Google' (stock)

Google is downplaying the incident, described by one expert as the 'worst ever' in the firm's history, saying it does not believe it was malicious. A Google status page noted that 'access to some Google services was impacted' and said the cause was 'external to Google' (stock)

Google is downplaying the incident, described by one expert as the ‘worst ever’ in the firm’s history, saying it does not believe it was malicious. A Google status page noted that ‘access to some Google services was impacted’ and said the cause was ‘external to Google’ (stock)

A Google spokesperson told MailOnline: ‘We’re aware that a portion of internet traffic was affected by incorrect routing of IP addresses, and access to some Google services was impacted.’

‘The root cause of the issue was external to Google and there was no compromise of Google services.’ 

The company has offered little additional information. 

DOES CHINA HAVE HISTORY HIJACKING INTERNET TRAFFIC?

Researchers reported in October that a Chinese telecoms firms had been hijacking internet traffic on a regular basis.

Chris Demchak of the United States Naval War College and Yuval Shavitt of the Tel Aviv University in Israel traced global border gateway protocol (BGP) announcements.

They discovered several attacks by state-run China Telecom over the past few years, according to reports in Secure Reading.

They found that China redirected traffic between Canada and Korean government networks to its point of presence (PoP) in Toronto for six months in 2016. 

Internet traffic normally takes a short route which is through Canada, the U.S and then to Korea.

Traffic between Scandinavia and Japan was also hijacked between April and May 2017.

PoPs manage traffic between all the smaller networks called autonomous systems (AS).

China has ten PoPs in North America, but it doesn’t allow any foreign country PoPs in their country.

The traffic between two autonomous systems are managed with the help of Border Gateway Protocol (BGP).

BGP hijacks can also occur by mistake if this system is set up incorrectly.  

Most of BGP hijacking attacks nowadays are the work of government agencies or criminal organisations with access or control of strategically placed ISPs, experts warn.

‘Building a successful BGP hijack attack is complex, but much easier with the support of a complicit and preferably large scale ISP that is more likely to be included as a central transit point among a sea of ASs,’ the report said. 

‘China Telecom has ten strategically placed, Chinese controlled internet ‘points of presence’4 (PoPs) across the internet backbone of North America.’

‘Vast rewards can be reaped from the hijacking, diverting, and then copying of information-rich traffic going into or crossing the United States and Canada – often unnoticed and then delivered with only small delays.’  

The full findings of the study were published in the Journal of the Military Cyber Professionals Association.

Much of the internet’s underpinnings are built on trust, a relic of the good intentions its designers assumed of users.

One consequence: Little can be done if a nation-state or someone with access to a major internet provider – or exchange – decides to reroute traffic.

Henthorn-Iwane says Monday’s hijacking may have been ‘a war-game experiment.’ 

This graphic shows traffic from network intelligence company ThousandEyes in San Francisco being re-routed through China

This graphic shows traffic from network intelligence company ThousandEyes in San Francisco being re-routed through China

This graphic shows traffic from network intelligence company ThousandEyes in San Francisco being re-routed through China

The Department of Homeland Security did not immediately respond to a request for comment.

ThousandEyes named the companies involved in Monday’s incident, in addition to China Telecom, as the Russian internet provider Transtelecom and the Nigerian ISP MainOne.

Both ThousandEyes and the U.S. network monitoring company BGPmon said the internet traffic detour originated with the Nigerian company. Neither was ready to more definitively pinpoint the cause.

Most network traffic to Google services – 94 per cent as of October 27 – is encrypted, which shields it from prying eyes even if diverted. 

WHAT IS BGP HIJACKING?

Border gateway protocol (BGP) hijacking is when attackers maliciously reroute Internet traffic. 

Attackers accomplish this by falsely announcing ownership of groups of IP addresses, called IP prefixes, that they do not actually own, control, or route to. 

A BGP hijack is much like if someone were to change out all the signs on a stretch of freeway and reroute automobile traffic onto incorrect exits. 

Because BGP is built on the assumption that interconnected networks are telling the truth about which IP addresses they own, BGP hijacking is nearly impossible to stop.

Border gateway protocol (BGP) hijacking is when attackers maliciously reroute Internet traffic. A BGP hijack is much like if someone were to change out all the signs on a stretch of freeway and reroute automobile traffic onto incorrect exits

Border gateway protocol (BGP) hijacking is when attackers maliciously reroute Internet traffic. A BGP hijack is much like if someone were to change out all the signs on a stretch of freeway and reroute automobile traffic onto incorrect exits

Border gateway protocol (BGP) hijacking is when attackers maliciously reroute Internet traffic. A BGP hijack is much like if someone were to change out all the signs on a stretch of freeway and reroute automobile traffic onto incorrect exits

Imagine if no one was watching the freeway signs, and the only way to tell if they had been maliciously changed was by observing that a lot of automobiles were ending up in the wrong neighbourhoods.

However, for a hijack to occur, attackers need to control or compromise a BGP-enabled router that bridges between one autonomous system (AS) and another, so not just anyone can carry out a BGP hijack. 

When an AS announces a route to IP prefixes that it does not actually control, this announcement, if not filtered, can spread and be added to routing tables in BGP routers across the Internet. 

From then until somebody notices and corrects the routes, traffic to those IPs will be routed to that AS. 

It would be like claiming territory if there were no local government to verify and enforce property deeds. 

Researchers also reported in October that a Chinese telecoms firms had been hijacking internet traffic on a regular basis.

Chris Demchak of the United States Naval War College and Yuval Shavitt of the Tel Aviv University in Israel traced global border gateway protocol (BGP) announcements.

They discovered several attacks by state-run China Telecom over the past few years, according to reports in Secure Reading.

They found that China redirected traffic between Canada and Korean government networks to its point of presence (PoP) in Toronto for six months in 2016. 

Link hienalouca.com

(Просмотров всего: 70 Время, 1 визитов за день)

Leave a Reply