According to a new joint research paper published by the US Naval War College and Tel Aviv University earlier this week, Chinese threat actors have been targeting individual Internet Service Providers (ISP) throughout North America as a primary means to steal/hijack Intellectual Property from Western Democracies dating back to 2015 – namely the US and Canada. The document, entitled “China’s Maxim – Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking,” explains how different Chinese corporations are leveraging cyber attacks using Border Gateway Protocol as a primary means to intercept, record and decrypt internet traffic/data across various autonomous networks.
In a blog post published on October 26th 2018, as was explained by Catalin Cimpanu, news researcher at ZDNet, “the Chinese government, through China Telecom, has started abusing BGP hijacks after it entered into a pact with the US in September 2015 to stop all government-back cyber operations aimed at intellectual property theft.” Reportedly, this is being done through point-of-presence data centers which China has been setting up throughout the America’s dating back to the early 2000’s. These data centers work by re-routing internet traffic through smaller servers that make up the greater combined internet, and these smaller networks are represented by major companies or corporate networks such as Google, Verizon, public universities, banking systems – et cetera.
As Cimpanu explains, “these smaller networks are known as autonomous systems (AS)” and “Traffic travels between these AS networks with the help of the Border Gateway Protocol (BGP)” – which was first established “in the early 80s and does not feature any security controls, allowing anyone to announce a bad BGP route and receive traffic that was not intended for their network.” Going on to add that “there are also some networks that hijack BGP routes to send legitimate traffic through malicious servers. They do this to carry out man-in-the-middle traffic interception, phishing attacks to steal passwords, or to record HTTPS-encrypted traffic to later decrypt it by leveraging cryptographic attacks such as DROWN or Logjam.”
According to researchers, this is exactly what China has been doing to North American internet traffic dating back to 2015. Perhaps more importantly, this is being done by public corporations operating out of China, such as China Telecom. Quite simply put, the Chinese Government has been deliberately leveraging Chinese based corporations as a primary means to circumvent international law and political pacts signed between the the two nations throughout the past. As one of the authors of the study explained, using public companies, such as China Telecom, “necessitates new ways to get information while still technically adhering to the agreement” – the Obama-Xi Cyber Pact of 2015. “Since the agreement only covered military activities,” researchers added, “Chinese corporate state champions could be tasked with taking up the slack. […] Enter China Telecom.”
Major Attacks Detected Since October 2015:
- Starting from February 2016 and for about six months, routes from Canada to Korean government sites were hijacked by China Telecom and routed through China.
- On October 2016, traffic from several locations in the USA to a large Anglo-American bank headquarters in Milan, Italy was hijacked by China Telecom to China.
- Traffic from Sweden and Norway to the Japanese network of a large American news organization was hijacked to China for about six weeks in April/May 2017.
- Traffic to the mail server (and other IP addresses) of a large financial company in Thailand was hijacked several times during April, May, and July 2017. Some of the hijack attacks started in the USA.
View Full Research Paper: