'Intentional' event redirects cloud traffic from Apple, Google & others through Russia

AppleInsider

Internet traffic coming into and out of Apple, Facebook, Google, Microsoft, and other companies was briefly redirected through a Russian provider on Wednesday, in what appears to have been a deliberate move.

The incident involved the Border Gateway Protocol, or BGP, which funnels high-level traffic through nodes like internet backbones, according to Ars Technica, citing reports by monitoring services BGPMon and Qrator Labs. BGPMon recorded two three-minute hijacks, affecting 80 address blocks in total. Qrator Labs said the incident spanned two hours, with the number of address blocks fluctuating between 40 and 80.

Some reasons for suspicion include the prominence of the impacted companies, and the fact that IP addresses were split into smaller blocks than those announced by the companies -- something that doesn't normally happen with a BGP configuration error.

The autonomous Russian system that performed the hijack, known as AS39523, was previously inactive for years except for another BGP incident in August that involved Google.

It's unknown what might been done with data if the latest redirect was deliberate, since much or all of it would've been protected by encryption that has yet to be defeated, at least according to public knowledge. An attacker could conceivably have figured out decryption, attempted to crack it, or may be storing the data for future attacks.

negociarlaw

For sure there are very real dangers lurking in cyberspace that must be found and stopped before they do catastrophic damage. 

gatorguy

AppleInsider said:

Internet traffic coming into and out of Apple, Facebook, Google, Microsoft, and other companies was briefly redirected through a Russian provider on Wednesday, in what appears to have been a deliberate move.


The incident involved the Border Gateway Protocol, or BGP, which funnels high-level traffic through nodes like internet backbones, according to Ars Technica, citing reports by monitoring services BGPMon and Qrator Labs. BGPMon recorded two three-minute hijacks, affecting 80 address blocks in total. Qrator Labs said the incident spanned two hours, with the number of address blocks fluctuating between 40 and 80.

Some reasons for suspicion include the prominence of the impacted companies, and the fact that IP addresses were split into smaller blocks than those announced by the companies -- something that doesn't normally happen with a BGP configuration error.

The autonomous Russian system that performed the hijack, known as AS39523, was previously inactive for years except for another BGP incident in August that involved Google.

It's unknown what might been done with data if the latest redirect was deliberate, since much or all of it would've been protected by encryption that has yet to be defeated, at least according to public knowledge. An attacker could conceivably have figured out decryption, attempted to crack it it, or may be storing the data for future attacks.

Not mentioned was yet another incident back in April where payment networks were redirected.
https://arstechnica.com/information-technology/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/

gatorguy

negociarlaw said:

For sure there are very real dangers lurking in cyberspace that must be found and stopped before they do catastrophic damage. 

This has been going on for quite awhile. Sometimes it's Russian traffic redirected to China/others, with the Chinese reportedly behind other events as well in recent years. Russia has probably been behind other redirects themselves. No doubt IMO US agencies have done the same.
https://dyn.com/blog/chinese-routing-errors-redirect-russian-traffic/
https://www.washingtontimes.com/news/2010/nov/15/internet-traffic-was-routed-via-chinese-servers/
https://www.computerworld.com/article/2532289/cybercrime-hacking/cyberattacks-knock-out-georgia-s-internet-presence.html

For its part Russia is actively and aggressively working to keep Russian internet traffic within Russia and under their control. 
https://www.bleepingcomputer.com/news/government/russia-plans-to-keep-internet-traffic-inside-the-country-fearing-foreign-wiretaps/

igorsky

I'd like to know when we're going to give these fuckers a taste of their own medicine.

emoeller

Not that long ago all of the internet backbone servers resided in the US.   It was only a matter of time before this type of activity (and cyber-warfare in general) escalated.  

In the end counties will begin to erect walled gardens to monitor and control extranet activities (Russia, China, Iran etc already have this in place).   The end of the open internet as we had created and known it will unfortunately end.  

Freedom, once lost is very difficult to restore.  We will lose net neutrality today unless we continue to fight for it, and the same goes for the internet itself.

georgebmac

This was likely a test of a future cyber-attack on our nation.

And, it is yet ANOTHER example of how our internet is not a private, for-profit network -- but a national asset essential to our future and our security.

Instead of being abandoned and turned over to others for their fun and profit, it needs to be carefully governed, regulated, protected and nurtured by our government.

jbdragon

igorsky said:

I'd like to know when we're going to give these fuckers a taste of their own medicine.

OH, I'm sure the U.S. Government is just as guilty as they are if not worse.

eideard

Igorsky - so far, the US Govt treats nations the way it treats us. Snooping every aspect of existence is sufficient. Using the info to enable illegal oversight. Cunning enough to avoid fightback. Putin doesn't worry about that.

racerhomiex

jbdragon said:

igorsky said:

I'd like to know when we're going to give these fuckers a taste of their own medicine.

OH, I'm sure the U.S. Government is just as guilty as they are if not worse.

I hope the US is attacking China & Russia soon enough.

rayz2016

gatorguy said:

negociarlaw said:

For sure there are very real dangers lurking in cyberspace that must be found and stopped before they do catastrophic damage. 

This has been going on for quite awhile. Sometimes it's Russian traffic redirected to China/others, with the Chinese reportedly behind other events as well in recent years. Russia has probably been behind other redirects themselves. No doubt IMO US agencies have done the same.
https://dyn.com/blog/chinese-routing-errors-redirect-russian-traffic/
https://www.washingtontimes.com/news/2010/nov/15/internet-traffic-was-routed-via-chinese-servers/
https://www.computerworld.com/article/2532289/cybercrime-hacking/cyberattacks-knock-out-georgia-s-internet-presence.html

For its part Russia is actively and aggressively working to keep Russian internet traffic within Russia and under their control. 
https://www.bleepingcomputer.com/news/government/russia-plans-to-keep-internet-traffic-inside-the-country-fearing-foreign-wiretaps/

Bloody hell. :-O

pkissel

Skynet!  The machine uprising has begun!

volcan

AppleInsider said:
It's unknown what might been done with data if the latest redirect was deliberate, since much or all of it would've been protected by encryption that has yet to be defeated, at least according to public knowledge. An attacker could conceivably have figured out decryption, attempted to crack it, or may be storing the data for future attacks.

Network Solutions SSL certificates were apparently compromised this week. I received an urgent message on Tuesday that I had to reinstall a new certificate by today or else my SSL would be decommissioned tomorrow, the 15th of December even though it doesn't technically expire until 2019. I submitted the new request right away. Not sure what caused the problem but it could be related to Russian hacking.

micdorsey

igorsky said:

I'd like to know when we're going to give these fuckers a taste of their own medicine.

And when that happens, you will read about it *where*?

blah64

volcan said:

AppleInsider said:
It's unknown what might been done with data if the latest redirect was deliberate, since much or all of it would've been protected by encryption that has yet to be defeated, at least according to public knowledge. An attacker could conceivably have figured out decryption, attempted to crack it, or may be storing the data for future attacks.

Network Solutions SSL certificates were apparently compromised this week. I received an urgent message on Tuesday that I had to reinstall a new certificate by today or else my SSL would be decommissioned tomorrow, the 15th of December even though it doesn't technically expire until 2019. I submitted the new request right away. Not sure what caused the problem but it could be related to Russian hacking.

I sincerely hope you did some careful vetting of the info before you acted.  That reads like a hoax would sound, right?  Not that it isn't real, but you'd want to verify through more than one means, i.e. viewing their site not just from your own network, but a VPN or maybe Tor to confirm the problem.

Just took a quick peek at NetSol's site and didn't see anything, but they're such a godawful company I'm sure they wouldn't make their screwups easy to find.  Used them for many horrible years, starting in the very earliest days, thankfully finally 100% netsol-free for the past 5 years or so.  Good luck.

volcan

blah64 said:

volcan said:

AppleInsider said:
It's unknown what might been done with data if the latest redirect was deliberate, since much or all of it would've been protected by encryption that has yet to be defeated, at least according to public knowledge. An attacker could conceivably have figured out decryption, attempted to crack it, or may be storing the data for future attacks.

Network Solutions SSL certificates were apparently compromised this week. I received an urgent message on Tuesday that I had to reinstall a new certificate by today or else my SSL would be decommissioned tomorrow, the 15th of December even though it doesn't technically expire until 2019. I submitted the new request right away. Not sure what caused the problem but it could be related to Russian hacking.

I sincerely hope you did some careful vetting of the info before you acted.  That reads like a hoax would sound, right?  Not that it isn't real, but you'd want to verify through more than one means, i.e. viewing their site not just from your own network, but a VPN or maybe Tor to confirm the problem.

Just took a quick peek at NetSol's site and didn't see anything, but they're such a godawful company I'm sure they wouldn't make their screwups easy to find.  Used them for many horrible years, starting in the very earliest days, thankfully finally 100% netsol-free for the past 5 years or so.  Good luck.

Not to worry. I even called then.  They would only say it was a coding issue but the warning was definitely from them not a phishing scam.

blah64

volcan said:

blah64 said:

volcan said:

AppleInsider said:
It's unknown what might been done with data if the latest redirect was deliberate, since much or all of it would've been protected by encryption that has yet to be defeated, at least according to public knowledge. An attacker could conceivably have figured out decryption, attempted to crack it, or may be storing the data for future attacks.

Network Solutions SSL certificates were apparently compromised this week. I received an urgent message on Tuesday that I had to reinstall a new certificate by today or else my SSL would be decommissioned tomorrow, the 15th of December even though it doesn't technically expire until 2019. I submitted the new request right away. Not sure what caused the problem but it could be related to Russian hacking.

I sincerely hope you did some careful vetting of the info before you acted.  That reads like a hoax would sound, right?  Not that it isn't real, but you'd want to verify through more than one means, i.e. viewing their site not just from your own network, but a VPN or maybe Tor to confirm the problem.

Just took a quick peek at NetSol's site and didn't see anything, but they're such a godawful company I'm sure they wouldn't make their screwups easy to find.  Used them for many horrible years, starting in the very earliest days, thankfully finally 100% netsol-free for the past 5 years or so.  Good luck.

Not to worry. I even called then.  They would only say it was a coding issue but the warning was definitely from them not a phishing scam.

Good for you.  I'm a little embarrassed that picking up the phone wasn't the first verification method that came to my mind!  Sad state of affairs these days.

Also a sad state of affairs for NetSol, apparently.  Did they publish any info whatsoever about the problem on their web site?  Transparency is important! The thing is, a compromise like that, depending up on the nature of their customers' business, could be absolutely devastating.  Or, even for some smaller mom&pop type businesses, they could easily be away on vacation, offline for a few days with the presumption of a turnkey operation just doing its thing.  Return to find their business offline.  I guess that could happen for a variety of reasons, but compromised certificates shouldn't be one.  Mostly I'm just wondering about their public-facing transparency on this.

spice-boy

Don't worry y'all our fearless leader is in a bromance with Russia's fearless leader, we good. 

volcan

blah64 said:

Also a sad state of affairs for NetSol, apparently.  Did they publish any info whatsoever about the problem on their web site?  

Interestingly it was only affecting my Extended Validation certificate but not the regular certificate on a different server. I didn't see anything on their site and nothing came up from a Google search either.

johnny mozzarella

Russia is our friend. They were probably just trying to fix the internet.

hammeroftruth

johnny mozzarella said:

Russia is our friend. They were probably just trying to fix the internet.

Da!  Hey buddy, hold this fuse ok?