Internet traffic heading to Australia was diverted via mainland China over a six-day period last year, in what some experts believe may have enabled a targeted data theft.
The diverted traffic from Europe and North America was logged as a routing error by the state-owned China Telecom, according to data released for the first time by researchers at Tel Aviv University and the Naval War College in the US.
“We noticed unusual and systematic hijacking patterns associated with China Telecom,” one of the researchers, Yuval Shavitt, a professor at Tel Aviv University told The Australian Financial Review.
The targeting of data bound for Australia comes amid revelations China’s peak security agency has overseen a surge in cyber attacks on Australian companies over the past year, breaching a bilateral agreement to not steal each other’s commercial secrets.
Home Affairs Minister Peter Dutton expressed concern about the increased number and severity of cyber attacks and said they were imposing a multibillion dollar cost on the Australian economy.
“It is unacceptable behaviour by any state actor or non-state actor for that matter to attempt to exploit government IT systems or businesses,” he told the Nine Network.
The data diversions will only add to concerns around Beijing’s behaviour, with Mr Shavitt saying they happened between June 7 and 13 last year and resulted in a small portion of the internet traffic coming into Australia taking up to six times longer to arrive as it went via China.
Mr Shavitt believes the target of the attack was a British cyber security company with offices in Australia. He suggested the suspected hacking operation was aimed at accessing sensitive data held by the firm.
Chinese officials downplayed the reports.
“Cyber security is a global issue and cyber hacking is a common challenge faced by every country in the world,” a Foreign Ministry spokesman said at a regular press conference when asked to respond to the reports.
The timing of the diversion was unlikely to have been coincidental and may have coincided with a major project the firm was undertaking for a client in Australia, Mr Shavitt said.
A senior Australian official said intelligence agencies were aware of the issue but could not say with certainty if it was malicious or the result of genuine routing errors.
The official said the activity was being conducted on the edge of the cyber frontier, potentially involving new hacking techniques that experts were still seeking to understand.
Clandestine data capture and assessment, often on a staggering scale, has been practised by Western intelligence agencies, as revealed by the Edward Snowden leaks. But while this data-harvesting raised serious legal and privacy concerns, western nations have insisted it was never used for stealing commercial secrets.
Alex Henthorn-Iwane, a vice president at internet monitoring firm Thousand Eyes in San Francisco, said the ease of re-routing internet traffic meant it could be used to gather intelligence, especially when the country involved was known for pursuing economic espionage on a large scale.
“Internet routing is run on the honour system, which makes it vulnerable to dishonest actors,” he said.
China Telecom said its routing strategy fully complied with global standards and denied it had “hijacked” traffic going through its network.
“China Telecom insists on [a] compliance operation in strict accordance with local laws, not only in mainland China, but also everywhere in the world,” it said in a statement.
Unusual traffic flows
On November 12 this year, some Google services were affected by unusual traffic flows that routed data through Russia’s TransTelecom and China Telecom. While analysts at Thousand Eyes would not say the re-routing was malicious they viewed it as suspicious and said it had placed traffic “in the hands of Internet Service Providers in countries with a long history of Internet surveillance”.
While the potential to hijack so called “Border Gateway Protocols (BGP)” has been known for much of the past decade, the issue has gained some prominence across the cyber security community in recent months with the publishing of Mr Yuval’s research in conjunction with Chris C. Demchak from the US Naval War College.
“The prevalence of – and demonstrated ease with which – one can simply redirect and copy data by controlling key transit nodes buried in a nation’s infrastructure requires an urgent policy response,” they wrote in a paper published in the Journal of Military Cyber Professionals Association.
The data diversions were possible as China Telecom has 10 Points of Presence (PoPs) in North America. Foreign carries have no comparable infrastructure across mainland China.
China Telecom has long been regarded as a passive service provider, despite being state-owned, and therefore attracted none of the suspicion of Chinese telecommunications providers such as Huawei or ZTE.
After being contacted by The Australian Financial Review, Mr Yuval provided data on traffic flows into Australia, which has not previously been made public.
The new Australian data shows traffic out of Strasbourg travelling to the east coast of the US, but rather than continuing on to Sydney being diverted to mainland China before being re-routed via South Korea and Hong Kong then eventually arriving in Australia.
This happened repeatedly over a six-day period with the packets of data taking up to six times longer to arrive than is usual, a warning sign for researchers looking into suspicious activity.
In another example, data from Montreal went to the US east coast and was then diverted to mainland China before either going through South Korea or Hong Kong and then arriving in Sydney. This data took around three times longer to reach its destination than would have ordinarily been the case.
“There is always a chance this was some ingenious error … but to my mind it happened too often to be a mistake,” Mr Yuval said.
Mr Yuval contacted the affected company and warned the data diversion posed a “severe security risk” and that its “sensitive data” was exposed to a so-called “man in the middle attack”.
This is where malicious software is inserted into emails and other traffic which can then be used to steal data and other confidential information.
“The diversion is only the beginning of an attack … it can then be used to break into a network,” Mr Yuval said.
‘You have to ask why?’
Michael Sentonas, a vice president at cyber security firm CrowdStrike, said BGP was an insecure protocol that left open the potential for traffic to be pushed through a listening post, where even encrypted data could potentially be accessed.
“I don’t think it’s insignificant when traffic destined for Australia or the US goes via China. You have to ask why?” he said. “This needs to be raised as an issue and questions asked.”
The founder of CrowdStrike, Dmitri Alperovitch, a high-profile US critic of China’s cyber hacking campaign raised the issue of malicious diverting of web traffic in 2010.
At the time little was known about the issue, but over recent years Tel Aviv University has established and refined a tracing system that claims it can differentiate between accidental and deliberate traffic diversions.
In the research paper published by Mr Yuval and Ms Demchak, they revealed data between Canadian and Korean government sites was diverted through China over a six-month period from February 2016, before arriving at its intended destination.
“This is a perfect scenario for long-term espionage, where the victim’s local protections won’t raise alarms about the long-term traffic detours,” the authors said.
The paper highlights three other examples over the past two years, including traffic from Scandinavia to the Japanese office of a major US media outlet being diverted via China.
The pair assert the diversions from China Telecom were part of Beijing’s efforts to “technically” adhere to a cyber agreement signed between the US and China in 2015, while still continuing to steal commercial secrets.
“While the 2015 agreement prohibited direct attacks on computer networks, it did nothing to prevent the hijacking of the vital internet backbone of western countries,” they wrote.