Telecommunications carriers under the control of the Russian government hijack Internet traffic of financial services

Telecommunications carriers under the control of the Russian governmentRostelecomHowever, it is pointed out that it may hijack Internet traffic of financial services such as Mastercard and VISA. Ars Technica from overseas media explains where Rostelecom's purpose of hijacking Internet traffic is.

Russian-controlled telecom hijacks financial services' Internet traffic | Ars Technica
https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/


BGP stream and The Curious Case of AS 12389 | BGPmon
https://bgpmon.net/bgpstream-and-the-curious-case-of-as12389/

On April 26, 2017, network traffic to online services provided by Mastercard, VISA, and more than 20 financial services began via Rostelecom, a carrier operated by the Russian government. Over the 5 to 7 minutes traffic of 36 large-scale networks became "for some reason via Rostelecom"Border Gateway Protocol(BGP) related obstacles were considered to be possible and were considered accidental. However, network monitoring serviceBGPmonIf you look at the companies affected by engineers working in, you will find that many are companies related to financial services.

Mr. Doug Madley, director of Internet analysis at the network management company · Dyn, commented Ars Technica, "I will judge this if it is quite dubious." A typical cause of these kinds of errors seems to be in some internal traffic engineering, but it seems very strange that "someone restricts traffic engineering for financial networks".

Network traffic for affected companies such as Mastercard and VISA usually goes through service providers contracted / approved by each company. Authorization provider, BGPRouting tableTo notify the block ownership of the IP address belonging to the client company. However, on April 26, the problem occurred, Rostelecom suddenly began to control the block, and the traffic flowing into the affected network was to go through the Rostelecom router. This traffic hijack lasted five to seven minutes, but the routing was restored after that. However, how the Internet traffic changes when hijacked is solidRecordIt is being done.

The following map is a visualization of how the Internet traffic to 36 services affected by this obstacle changed.Page prepared by BGPmonYou can also visually see how the route of traffic has changed over time.


It has been pointed out that this hijacking of Internet traffic might have been done to intercept and manipulate the traffic of Russians accessing Internet services provided by affected financial institutions such as Mastercard and VISA I will. Such interception and manipulation are usually done on unencrypted data, but even if the data is encryptedLogjamYaDROWNIt seems that there is a possibility that traffic can be restored if attack method such as.

According to Mr. Madley, even if the encrypted data can not be deciphered, the attacker can record who is accessing which financial service by using a different traffic route than usual, from among them It seems that it is also possible to muster the targets with low defensive power and concentrate attacks.

In addition, provided by RostelecomShareholder informationAccording to the Russian government owns 49% of the company's common stock, the US Department of Commerce lists Rostelecom as a Russian state enterprise. Indeed, as Rostelecom's board of directors has one or more high-ranking officials, the Department of Commercereportdoing.

Some companies hijacked Internet traffic also include security provider Symantec and a technology company EMC subsidiary. The affected 36 network prefixes and the registered owner list are as follows.

· 202.138.100.0/24 Reliance Communications Bangalore State of Karnātaka IN
· 145.226.109.0/24 Euro-Information-Europeenne de Traitement de l'Information SAS Paris Île-de-France FR
· 193.58.4.0/24 Fortis Bank N.V. Brussels Bruxelles-Capitale BE
· 217.75.242.0/24 Servicios de Hosting en Internet S.A. ES
· 194.153.135.0/24 Norvik Banka LV
· 93.190.87.0/24 Modrium Mdpay Oy NUF Øy Nord-Trøndelag Fylke NO
· 217.117.65.0/24 NET_217_117 _ 65 UA
· 195.76.9.0/24 REDSYS SERVICIOS DE PROCESAMIENTO SLU
· 64.75.29.0/24 Arcot Systems, Inc. Sunnyvale CA US
· 206.99.153.0/24 Savvis Singapore SG
· 198.241.161.0/24 VISA INTERNATIONAL CO US
· 203.112.91.0/24 HSBC banking and financial services Hong Kong HK
· 196.38.228.0/24 Internet Solutions Johannesburg Gauteng ZA
· 216.136.151.0/24 Savvis Arlington VA US
· 198.161.246.0/24 EMC Corporation Southborough MA US
· 212.243.129.0/24 UBS Card Center AG Glattbrugg Kanton Zürich CH
· 203.112.90.0/24 HSBC banking and financial services Hong Kong HK
· 216.150.144.0/24 Xand Corporation Farmingdale NY US
· 195.20.110.0/24 Bank Zachodni WBK S. A. Poznań Województwo Wielkopolskie PL
· 193.16.243.0/24 Servicios Para Medios De Pago S. A. ES
· 202.187.53.0/24 TIME DOTCOM BERHAD Shah Alam Selangor MY
· 160.92.181.0/24 Worldline France hosting FR
· 145.226.45.0/24 Euro-Information-Europeenne de Traitement de l 'Information SAS Strasbourg Alsace FR
· 195.191.110.0/24 card complete Service Bank AG Vienna Wien AT
· 193.104.123.0/24 PROVUS SERVICE PROVIDER SA Bucharest Bucureşti RO
· 69.58.181.0/24 Verisign, Inc. New York NY US
· 194.5.120.0 / 24 DOCAPOST BPO SAS FR
· 89.106.184.0/24 Worldline SA Frankfurt am Main Hessen DE
· 217.75.224.0/19 Servicios de Hosting en Internet S.A. Madrid Comunidad de Madrid ES
· 195.114.57.0/24 DNBNORD PLC LV
· 198.241.170.0/24 VISA INTERNATIONAL CO US
· 216.119.216.0/24 MasterCard Technologies LLC Wentzville MO US
· 193.203.231.0/24 SIA S.p.A. Milano Lombardia IT
· 65.205.249.0/24 Symantec Inc Mountain View CA US
· 194. 126.145.0/24 Netcetera AG Zürich Kanton Zürich CH
· 65.205.248.0/24 Symantec Inc Mountain View CA US

Both Madrid and BGPmon engineers point out that the hijacking of Internet traffic was a coincidence, but this is not the first time BGP traffic was intentionally diverted. Renesys, which was acquired by Dyn in 2013, has redirected most of Internet traffic belonging to financial institutions, government agencies and network service providers to remote locations.

Clearly the world's major net traffic passed through Belarus and Iceland for some reason - GIGAZINE