• China Telecom was covertly helping China’s intelligence agencies in conducting espionage operation, experts believe.
  • The Chinese company has had a point-of-presence (PoP) presence in North America since the early 2000’s.

China Telecom - a Chinese state-owned telecommunications company has been using its position as a point-of-presence (PoP’s) inside US and Canadian networks to covertly help China’s intelligence agencies conduct espionage operations, experts believe.

PoP’s are the data centers that redirect the traffic between smaller networks, which, in turn, make up for the larger Internet networks. The smaller networks are known as “autonomous systems” (AS) and could belong to big companies like Google, a friendly neighborhood ISP, big tier-1 ISP’s like Verizon or any other big organizations or entities that own a separate block of IP addresses.

Researchers from the US Naval College and Tel Aviv University published a research paper, in which they said that China Telecom, the country’s third largest telecom and internet service provider has been “hijacking the vital internet backbone of western countries”. Notably, the company has had a presence inside North American networks since the early 2000’s, when it created its first point-of-presence (PoP).

Abusing the Border Gateway Protocol (BGP)

According to the researchers, the Chinese government, with the help of China Telecom, was abusing the Border Gateway Protocol (BGP) by hijacking them. The Chinese telecom aided Beijing’s efforts even after the US and China entered into an agreement to stop all government-backed cyberattacks aimed at intellectual property theft, back in September 2015.

According to the researchers, Chinese hackers were determined to use some of the networks that hijack BGP routes to send legitimate traffic through malicious servers. Using this method they carried out man-in-the-middle (MiTM) network traffic interception, and phishing attacks to steal passwords or capture HTTPS traffic. This was later decrypted and used as part of cryptographic attacks such as DROWN or Logjam.

Tracking down long-lived BGP hijacks

Researchers said that they tracked down long-lived BGP hijacks to the ten PoP’s, out of which eight were located in the US and two in Canada.

"Using these numerous PoPs, [China Telecom] has already relatively seamlessly hijacked the domestic US and cross-US traffic and redirected it to China over days, weeks, and months," the researchers added.

Considering the widespread use of BGP, “one may argue such attacks can always be explained by normal' BGP behavior, these, in particular, suggest malicious intent, precisely because of their unusual transit characteristics - namely the lengthened routes and the abnormal durations," said the researchers.

List of long-lived BGP hijacks

Below is a list of long-lived BGP hijacks that abused the traffic of a specific network:-

  • The hijacking of routes from Canada to South Korean government sites from the beginning of February 2016 - an attack that lasted for about six months.
  • The hijacking of multiple locations in the US, including the headquarters of an Anglo-American bank in Milan, Italy in October 2016.
  • The April and May 2017 hijacking of traffic between Scandinavia and Japan, targeting a major US news organization.

Persistent hijacking attempts

The internet network system used by China is more rigid and largely closed off. It is connected using only three nodes located in Bejing, Shangai and Hong Kong. It also makes China restricted to international internet traffic, except the PoP’s set up in North America, Europe and some parts of Asia.

"This imbalance in access allows for malicious behavior by China through China Telecom at a time and place of its choosing while denying the same to the US and its allies,” the researchers noted.

Cyware Publisher