China in the mix: Third telco’s the charm? (CONCLUSION)

Hijacking exposes a network to potentially critical damage, Demchak and Shavitt wote in their study, “because it is not a hack of the endpoint but of the critical exchanges carrying information between end points.”

They explained that the “rerouted traffic flows sensitive data across the collection points of an intervening adversary without any human clicking on suspicious links or a network administrator seeing any surges in unexplained data transfers.”

“This gives the malicious attacker access to the organization’s network, to stealing valuable data, adding malicious implants to seemingly normal traffic, or simply modifying or corrupting valuable data,” they found. “If diverted and copied for even small amounts of time, even encrypted traffic can be broken, as shown in the well-known, recent ‘DROWN’ and ‘Logjam’ encryption attacks.”

Meanwhile, a “man-in-the-middle (MITM) attack can neutralize an organization’s firewall, for example,” they added. “In this form of attack, a bad actor inserts its covert collection method between the sender and real desired destination, between the end points. For another example, with the traffic rerouted into an adversary’s cache, the attacker can learn enough to impersonate trusted sources in or to the attacked network, especially valuable in obtaining validated certificates.”

The data obtained in an MITM attack, the researchers said, “can be used for widely-successful phishing attempts through email, voice, or texting attacks.”

Impersonation attacks, meanwhile, “can allow the malicious attacker to harvest passwords of the company’s web users,” Demchack and Shavitt wrote in the study. “With those keys to the victim’s network in hand, attackers can distort, disconnect, or destroy any part of the company’s network accessible from the Internet, increasingly to include critical financial and physical systems and their backups.”

The also noted that “the closer a network is to the attacker or its complicit ISP, the more likely an attack will succeed because defending administrators are less likely to have enough time to detect, analyze, and mitigate the attack.”


Demchak and Shavitt documented in their study that “China Telecom entered North American networks at the beginning of the 2000s, and has since grown to have 10 PoPs, eight in the US and two in Canada, spanning both coasts and all the major exchange points in the US.”

“Using these numerous PoPs, China Telecom has already relatively seamlessly hijacked domestic US and cross US traffic and redirected it to China over days, weeks, and months.”

They noted that the “patterns of traffic revealed in traceroute research suggest repetitive IP hijack attacks committed by China Telecom. While one may argue such attacks can always be explained by ‘normal’ BGP behavior, these in particular suggest malicious intent, precisely because of their unusual transit characteristics—namely the lengthened routes and the abnormal durations.”

They found that, “[s]tarting from February 2016 and for about 6 months, routes from Canada to Korean government sites were hijacked by China Telecom and routed through China.”

According to them, the shortest and normal route is “Canada-US-Korea.” The hijacked route “started at the China Telecom PoP in Toronto, the traffic was then forwarded inside the Chinese network to their PoP on the US West Coast, from there to China, and finally to delivery in Korea.”

“This is a perfect scenario for long term espionage, where the victim’s local protections won’t raise alarms about the long term traffic detours,” the researchers wrote. “Note that the shortest route between the originators and the destination is definitely not through two China Telcom PoPs in North America to China and only then to Korea.”

They also wrote that this pattern continued for six months, providing “good evidence that this was no short term misconfiguration or temporary internet conditions disruption. This attack repeated later for shorter time durations.”

They also found that in October 2016, “traffic from several locations in the USA to a large Anglo-American bank headquarters in Milan, Italy was hijacked by China Telecom to China.”

“The attack started at the ChinaNet8 PoP near Los Angeles and, while it lasted for 9 hours, it did not seem well-planned,” the researchers found. “ChinaNet actors seemed to have difficulties in routing the traffic back to Milan. The route inside the Chinese network changed several times as the attackers worked to try and redirect the traffic back. Ultimately, they seemed to give up sending it on and the traffic never arrived.”

They also described several hijackings of traffic to the mail server (and other IP addresses) “of a large financial company in Thailand” in “April, May, and July 2017,” some of which started in the USA, where “traffic sent from Milan, Italy to Bangkok was hijacked by a ChinaNet PoP in California. This hijack affected at least two large international American-based providers: Cogent and Level3. In parallel there was an attack on providers in South Korea.”


“China’s own national network is fairly isolated from the world, protecting it from foreign hijacking of its own domestic or transit traffic. There are, in principle, only three major internet gateways into China, located in Beijing, Shanghai, and Hong Kong. Hong Kong serves as a large international exchange, a legacy of the time it was ruled by Great Britain,” the two researchers wrote. “Many International companies have PoPs in HongKong, but this network is isolated from the rest of China. In fact, the Hong Kong major internet hub presents a great opportunity for China to hijack traffic that traverse it, usually with one end point of the communication being in the Asia Pacific region. Elsewhere in China, US based ISPs have no presence. AT&T has publicized that is has presence in China, but this seems to be only in collaboration with a local player, and not an AT&T directly owned and managed operation.”

If we let China Telecom into our system of internet access points and gateways, is that a tacit agreement to allow the Chinese government to see what data flows through our patch of the internet? Quite possibly.

If we will allow the NMP consortium to include China Telecom, we may, quite literally, be opening our homes and offices to cyber-attacks that may well become digital challenges our sov



More Stories