Security Breach: Traffic from Major Sites Was Routed Through Russia Recently

Deliberate internet traffic shift from one country to another always seems suspicious and that is what happened on Wednesday when all high level traffic from the most popular internet brands was passed through Russian servers.

Border Gateway Protocol, which is responsible for channeling high-level traffic, is sometimes rerouted by accident. However, an incident involving the Russians and a brief hijack into Google, Apple, Microsoft, Facebook, Twitch, NTT communications, Riot Games and other American tech giants, on Wednesday, is suggested to have been deliberate.

The suspicion is strengthened because the Russian autonomous system that performed the hijack, AS39523, has previously attempted a similar attack, especially on Google, while​ remaining otherwise largely inactive for years.

Two incidents occurred earlier this year – in August which involved a route leak between Google and Verizon and in April which involved rerouting traffic from Google, Mastercard and Visa.

About the Hijack

The monitoring service, BGPMon, reported that the recent hijack happened twice, for three minutes each: once between 9:43 PST and 9:46 pm PST on December 12 and another at 12:07 am PST the next day, which lasted till 12:10 PST.

BGP tables define where data is to be transferred as it is funneled across the globe. As AS39523 added itself to these tables, servers and web clients passed the data under the impression that it was associated to the companies involved.

BGPMon’s report specified that between 40 to 80 of these address blocks occurred over a time period of two hours, and that the IP addresses were split into smaller blocks, which would allow large amounts of traffic wto pass through Russian borders.

These facts and the prominence of the companies involved seems to sum up to the idea of an intentional rerouting effort, although what could have been done with the data remains unclear.

Dan Goodin for ​Ars Technicia​ indicated his opinion that BGP’s security is provided for mainly by trust and verbal confirmations. As a small relief for the America corporations, all sensitive data was encrypted. However, while decryption procedures have yet not been found, as far as the public knows, it is suggested that the information could have been stored away for decoding later.

BGPMon has suggested that the companies filter their customers in order to provide for better security.

Is the repetitive hijack on American corporations, particularly Google, a matter of mere coincidence or does this suggest an intentional cyberwar? Little is understood at present.