Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Did China Spy on Australian Defense Websites?

One Answer Is Clear: Network Re-Routing Raises Suspicions
Did China Spy on Australian Defense Websites?
Fiber optic cable (Photo: Randomhaus999 via Flickr/CC)

For nearly 30 months, internet traffic going to Australian Department of Defense websites flowed through several of China Telecom's data centers, a path the traffic wasn't supposed to take.

See Also: Malware Analysis Spotlight: Why Your EDR Let Pikabot Jump Through

It meant that between late 2015 and earlier this year, China Telecom, a Chinese state-owned telecommunication company, could see what devices were connecting to Australian defense sites, for how long and possibly more.

How the strange routing occurred is known. But the reasons why it persisted for so long aren't, and many involved in the situation aren't eager to directly comment.

The situation points to security issues with the internet around Border Gateway Protocol. The decades-old standard is used to connect networks and is often described as the glue that holds the internet together.

One of the primary players in this situation is Verizon, which provides connectivity for Australian government services, including the Defense Department.

Verizon tells ISMG it is aware of the situation and is investigating. The Department of Defense says it uses a range of measures to mitigate cyber threats, but that it "does not comment on matters of national security."

Jake Williams

The strange routing occurred after a South Korean ISP, SK Telecom, made a BGP change that caused traffic going to Australian defense sites from overseas to pass through China Telecom's backbone network and then onto Verizon's network. Neither China Telecom nor SK Telecom responded to a query.

Jake Williams a former operator with the National Security Agency's Tailored Access Operations unit and founder of Rendition Infosec, a security consultancy in Atlanta, says that if he ran the Australian Signals Directorate, the country's equivalent of the NSA, he'd be worried regardless of whether the routing change was intentional.

"China undoubtedly targets Australian Defense, and it's well known in the infosec community that China monitors much of its internet traffic," Williams says. "Even if the hijack was unintentional, it's nearly inconceivable that the Chinese government didn't benefit from it one way or another."

BGP: How It Works

To understand what happened in Australia and why it's important, here's a simplified explanation of how BGP works.

In order to route browsing traffic around the world, networks must connect with one another. To do that, they use BGP, a protocol that describes how networks - referred to as autonomous systems in networking lingo - link up together.

When a network wants to change how traffic flows to its network, it makes a BGP "announcement." That new route is then recognized by neighboring networks and passed along to others.

Organizations are only supposed to submit changes for networks they control. Although companies can set up filters to reject routing announcements that are likely in error, not all networks have those in place. BGP is largely based on trust between operators, but that trust is eroding.

In a recent incident, a cable company in Nigeria, MainOne, submitted a BGP change for Google's massive network, which then routed some traffic bound for Google through a Russian ISP and China Telecom. That situation had a dramatic affect: Some users couldn't reach Google, and the situation immediately drew suspicion that something nefarious may be afoot (see: Who Hijacked Google's Web Traffic?).

There is a solution for erroneous or malicious BGP announcements called Resource Public Key Infrastructure. The system enables network operators to specify which autonomous systems are allowed to announce route changes, which are then verified using digital certificates.

But all networks across the world would need to implement RPKI, writes Martin J. Levy, who works on network strategy at Cloudflare, in a blog post on Sept. 19. Such large coordinated upgrades of internet infrastructure have been challenging.

"Internet routing and BGP and security, along with its operational expertise, must improve globally," Levy writes.

Hijack Or Mistake?

The Australia situation kicked off on Dec. 10, 2015.

SK Telecom, which acquired Hanaro Telecom in 2007, made a BGP announcement. The announcement changed the routing paths of two Verizon "prefixes," the term for blocks of IP addresses that are part of Verizon's larger network.

Security companies and analysts monitor BGP announcements, both for security reasons and to ensure there are no routing hiccups that delay data flows. One of those monitoring services is BGPmon, which is part of Cisco.

BGPmon's tweets of the Verizon routing change

BGPmon tweets errant routing changes. On that day, it tweeted that SK Telecom, also known as AS9318, had "hijacked" prefixes and, which are part of Verizon's AS9555. Mistakes in managing BGP are usually referred to as leaks, while suspected malicious ones are called hijacks.

Once SK Telecom made its BGP announcement, China Telecom rebroadcasted it, and several other networks - Telia, Tata, GTT and Vodafone - accepted the new routes.

The change struck one analyst, Doug Madory, as odd and potentially concerning. Madory is director of internet analysis at Oracle and is an expert in internet routing. In a Nov. 5 blog post, Madory wrote that he worked for months to raise Verizon and others' attention.

He included a graphic that showed the odd path of traffic to Australian defense sites. It's a traceroute, which shows the path by which someone's computer in London on May 1, 2017, would have taken over the internet to reach

The traffic first went to Telia's network in London, then three more hops through Telia's facilities in New York, Chicago and Ashburn, Va. It was then handed off to China Telecom in Reston, Va. It then was funneled to China Telecom's backbone networks in Los Angeles, Shanghai and then off to Hong Kong. In Hong Kong, the traffic was handed off to Verizon, where it then went to Sydney.

"Prior to this routing phenomenon, it [the traffic] never traversed China Telecom," Madory writes. Madory declined to comment on the situation.

A traceroute that shows the circuitous routing through China Telecom from London to Australia on May 1, 2017 (Source: Oracle)

Verizon peers with SK Telecom, an arrangement where two networks agree to carry the other's traffic for free. Verizon tells ISMG that it can't control BGP announcements outside of its own network.

That is accurate and another reason why BGP is problematic: Anyone can meddle with someone else's network. But it's unclear why Verizon let the erroneous routing persist for so long, especially given its business with the Australian government.

Eventually, Madory successfully alerted Telia and GTT, which put in place filters that would block China Telecom from announcing Verizon's prefixes. But the odd routing was finally fixed for good in April.

Monitor Routing Changes

There's often no evidence to distinguish whether a BGP change is a simply mistake or an intentional hijack. BGP routing mistakes are an everyday occurrence, but there's increasing suspicion that nation-states are intentionally routing traffic in ways to enhance spying capabilities.

Whether fair or not, reasonable doubt doesn't usually apply to internet-related oddities involving China, largely due to the prolific amount of hacking activity that gets attributed to that nation.

Australian Defense Department domains affected by the BGP misdirection

With this case of the Australian defense websites, it's important to note that nothing has surfaced to indicate something nefarious was going on at China Telecom.

"The BGP hijacking risk is real," says Barry Greene, a principal architect with Akamai, a content delivery and network security company. "The problem is people are jumping up and down 'It's China! It's China,' when most of this is just a routing mistake on someone's backbone."

But the length of time the traffic was diverted - two and a half years - was much longer than most BGP errors. For example, the recent situation involving Google was fixed in about two hours.

So were those who were browsing to Australian defense sites at risk? It's hard to say because what a network is doing with passing data traffic is often opaque to the outside. But sitting in the middle of data traffic, as China Telecom was in this case, offers opportunities for "man-in-the-middle" attacks, which can involve spying on traffic or trying to redirect people to bogus websites.

Jose Nazario

Visibility into network traffic can help adversaries track people and their communications, says Jose Nazario, a vice president of product at Censys, a networking and infrastructure security company.

"It's great to know if someone has traveled or if communications increased at times, and you can use it to pinpoint which organizations move data around the world to the counterparts," Nazario says. "Couple that with interception or selective disruption, and you can cause some damage."

The primary defense against spying on internet traffic is encryption. There's been a large push to get websites to employ Transport Layer Security, the successor to Secure Sockets Layer. It means that data exchanged between a website and a user is unreadable without the decryption key, shielding against spying. There are, however, some advanced attacks, such as Logjam, that could result in the discovery of a key to decrypt the TLS traffic if certain conditions are met, exposing data.

Another style of man-in-the-middle attack is directing someone to visit a bogus website or service that impersonates a legitimate one. That entails some high-level trickery involving digital certificates, but this kind of attack may be in reach of a well-funded state actor, Nazario says.

If anything, the Australian situation is a warning sign: Assume the worst when BGP anomalies may be happening, Greene says.

"Ninety percent of these are routing mistakes," he says. "But the threat is real, and when it happens it has the potential to cause a lot of damage."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.