Suspicion Arises After Internet Traffic Was Rerouted Through Russia

Something really strange happened to the internet on Wednesday — and the currently unexplained incident is bringing up some troubling questions.

Reportedly, on Dec. 13, internet traffic sent to and from major tech companies like Google, Facebook, Apple and Microsoft was briefly routed through a Russian internet provider. The incident involved the Border Gateway Protocol (BGP), which funnels high-level traffic among internet backbones, ISPs and large networks, ARS Technica reported.

Researchers have called the event both highly suspicious and very likely a deliberate action. And many have called out the reliability of BGP communications: while BGP handles highly sensitive and large amounts of data, its security is usually based on simple trust and word of mouth.

According to a blog post, internet monitoring service BGPMon detected two hijack events that lasted a total of six minutes and affected 80 separate address blocks. The first event started at 4:43 UTC and lasted for three minutes, while another hijacking that started at 7:07 UTC lasted another three minutes.

Another internet monitoring service, Qrator Labs, also detected the strange incident. In their own blog post on the matter, Qrator reported that they detected an event that lasted for a total of two hours. During that time, hijacked address blocks varied from 40 to 80.

Why This Is Suspicious

While similar rerouting events in BGP are usually the result of simple human error, researchers at BGPMon called Wednesday’s incident “suspicious.”

For one, the data belonged to highly prominent companies (Google, Facebook, Apple, Microsoft), but also included Twitch, NTT Communications, and Riot Games. A few targets were seemingly handpicked, and researchers said that hijacked IP addresses were broken down into smaller and more specific blocks than announced by impacted companies — in other words, a sign that the hijacking was “intentional.”

AS39523

The rerouting was performed by an autonomous system in Russia, AS39523, which added entires to the BGP tables claiming it was the origin of the 80 block addresses. Because of that, a lot of traffic got sent through that Russian system before reaching its destination.

Stranger still, AS39523 hasn’t been active in years — except for one BGP incident in August that involved Google traffic.

Implications

It’s not clear what AS39523 engineers could do with the terabytes of data they collected. Generally, that type of communications data is encrypted. There’s not currently a precedent for BGP hijackers decrypting data, but it’s certainly possible.

Worryingly, the Russian provider could have collected and copied the data for storage in case a method for decryption is developed in the future.