Internet traffic heading to Australia was diverted via mainland China over a six-day period last year, in what some experts believe may have enabled a targeted data theft.
The diverted traffic from Europe and North America was logged as a routing error by the state-owned China Telecom, according to data released for the first time by researchers at Tel Aviv University and the Naval War College in the US.
“We noticed unusual and systematic hijacking patterns associated with China Telecom,” one of the researchers, Yuval Shavitt, a professor at Tel Aviv University told Fairfax Media.
The targeting of data bound for Australia comes amid revelations China’s peak security agency has overseen a surge in cyber attacks on Australian companies over the past year, breaching a bilateral agreement to not steal each other’s commercial secrets.
Home Affairs Minister Peter Dutton expressed concern about the increased number and severity of cyber attacks and said they were imposing a multibillion-dollar cost on the Australian economy.
“It is unacceptable behaviour by any state actor or non-state actor for that matter to attempt to exploit government IT systems or businesses,” he told the Nine Network.
The data diversions will only add to concerns around Beijing’s behaviour, with Professor Shavitt saying they happened between the 7th and 13th of June last year and resulted in a small portion of the total internet traffic coming into Australia taking up to six times longer to arrive as it went via China.
Professor Shavitt believes the target of the attack was a UK cyber-security company with offices in Australia. He suggested the suspected hacking operation was aimed at accessing sensitive data held by the firm.
He said the timing of the diversion was unlikely to have been coincidental and may have coincided with a major project the firm was undertaking for a client in Australia.
A senior Australian official said intelligence agencies were aware of the issue but could not say with certainty if it was malicious or the result of genuine routing errors. The official said the activity was being conducted on the edge of the cyber frontier, potentially involving new hacking techniques that experts were still seeking to understand.
Clandestine data capture and assessment, often on a staggering scale, has been practised by Western intelligence agencies, as revealed by the Edward Snowden leaks. But while this data harvesting raised serious legal and privacy concerns, western nations have insisted it was never used to steal commercial secrets.
Alex Henthorn-Iwane, a vice president at internet monitoring firm ThousandEyes in San Francisco, said the ease of re-routing internet traffic meant it could be used to gather intelligence, especially when the country involved was known for pursuing economic espionage on a large scale.
“Internet routing is run on the honour system, which makes it vulnerable to dishonest actors,” he said.
China Telecom said its routing strategy fully complied with global standards and denied it had “hijacked” traffic going through its network.
“China Telecom insists on [a] compliance operation in strict accordance with local laws, not only in mainland China, but also everywhere in the world,” it said in a statement.
Responding to an earlier story that the Chinese Ministery of State Security was behind a surge in hacking of commercial secrets, the Chinese foreign ministry said on Tuesday that “related reports and accusations are sheer fabrication” and came out of “thin air”.
“Cyber security is a global issue and cyber hacking is a common challenge faced by every country in the world,” a Foreign Ministry spokesman said.
On November 12, some Google services were affected by unusual traffic flows which routed data through Russia’s TransTelecom and China Telecom. While analysts at Thousand Eyes would not say that the re-routing was malicious, they viewed it as suspicious and said it had placed traffic “in the hands of Internet Service Providers in countries with a long history of internet surveillance”.
While the potential to hijack so-called “Border Gateway Protocols (BGP)” has been known for much of the past decade, the issue has gained some prominence across the cyber security community in recent months with the publication of Professor Shavitt’s research in conjunction with Chris Demchak from the US Naval War College.
“The prevalence of – and demonstrated ease with which – one can simply redirect and copy data by controlling key transit nodes buried in a nation’s infrastructure requires an urgent policy response,” they wrote in a paper published in the Journal of the Military Cyber Professionals Association.
The data diversions were possible as China Telecom has 10 Points of Presence (PoPs) in North America. Foreign carries have no comparable infrastructure across mainland China.
China Telecom has long been regarded as a passive service provider, despite being state-owned, and therefore has attracted none of the suspicion of Chinese telecommunications providers like Huawei or ZTE.
After being contacted by Fairfax Media, Professor Shavitt provided data on traffic flows into Australia, which has not previously been made public.
The data shows traffic came out of Strasbourg travelling to the east coast of the US, but rather than continuing on to Sydney, it was diverted to mainland China before being re-routed via South Korea and Hong Kong before eventually arriving in Australia.
This happened repeatedly over a six-day period with the packets of data taking up to six times longer to arrive than is usual, a warning sign for researchers looking into suspicious activity.
In another example, data from Montreal went to the US east coast and was then diverted to mainland China before either going through South Korea or Hong Kong and then arriving in Sydney. This data took around three times longer to reach its destination than would have ordinarily been the case.
“There is always a chance this was some ingenious error … but to my mind it happened too often to be a mistake,” Professor Shavitt said.
He contacted the affected company and warned the data diversion posed a “severe security risk” and that its “sensitive data” was exposed to a so called “man in the middle attack”.
This is where malicious software is inserted into emails and other traffic which can then be used to steal data and other confidential information.
“The diversion is only the beginning of an attack … it can then be used to break into a network,” Professor Shavitt said.
Michael Sentonas, a vice-president at cyber-security firm CrowdStrike, said BGP was an insecure protocol which left open the potential for traffic to be pushed through a listening post, where even encrypted data could potentially be accessed.
“I don’t think it’s insignificant when traffic destined for Australia or the US goes via China. You have to ask why?” he said.
“This needs to be raised as an issue and questions asked.”
In the research paper published by Professor Shavitt and Ms Demchak, three other examples over the past two years are highlighted, including traffic from Scandinavia to the Japanese office of a major US media outlet being diverted via China.
The pair assert the diversions from China Telecom were part of Beijing’s efforts to “technically” adhere to a cyber agreement signed between the US and China in 2015, while still continuing to steal commercial secrets.
“While the 2015 agreement prohibited direct attacks on computer networks, it did nothing to prevent the hijacking of the vital internet backbone of Western countries,” they wrote.