Why Is Network Hijacking Not Considered a Threat to National Security?

For a 12-hour period on July 26 and 27, internet users trying to access a portion of Apple’s network were sent in the wrong direction by instructions issued by Russian operator Rostelecom. Nothing Apple has said indicates there was any significant disruption to their business, not least because some sharp-eyed Apple engineer was quick to mitigate the problem by issuing routing instructions that countermanded those from Rostelecom. Nevertheless, Rostelecom’s notification was widely disseminated around the world. Some believe Rostelecom made a simple mistake but others felt this was another example of Border Gateway Protocol (BGP) being used for network hijacking. The Internet Society’s Mutually Agreed Norms for Routing Security (MANRS) initiative provided a comprehensive description of how Rostelecom issued wrong BGP instructions and how Apple responded.

Around 21:25 UTC On 26 July 2022, Rostelecom’s AS12389 network started announcing 17.70.96.0/19. This prefix is part of Apple’s 17.0.0.0/8 block; usually, Apple only announces the larger 17.0.0.0/9 block and not this shorter prefix length.

When the routes a network is announcing are not covered by valid Route Origin Authorization (ROA), the only option during a route hijack is to announce more specific routes. This is exactly what Apple Engineering did today; upon learning about the hijack, it started announcing 17.70.96.0/21 to direct traffic toward AS714.

Rostelecom was far less timely in correcting their erroneous routing instructions.

…the possible hijacked route continued to be announced by AS12389 for many hours. Finally, around 09:39 UTC on 27 July we started seeing withdraws of the 17.70.96.0/19 route, 12 hours and 14 minutes after it began.

Rostelecom have not explained their actions and nobody else has reached a definitive conclusion about why they announced routing for somebody else’s network. There is limited sympathy for the Russian telco because they have been responsible for apparent BGP hijacks in the past. There is also general skepticism about Russia’s commitment to securing the global internet. Earlier this year Bart Groothuis, a Dutch Member of the European Parliament (MEP), accused Russia of using BGP hijacks to disrupt Ukraine.

MANRS disagreed with Groothuis’ analysis, but it is no exaggeration to observe malicious actors could potentially use BGP to cause widespread disruption at a key moment during an international crisis. BGP has been a factor in several major network outages. The extent to which countries have become dependent on networks was illustrated in July when Canada’s Rogers suffered a 15-hour nationwide outage that prevented people calling emergency services, took a major payments service offline and put many ATMs out of action, as well as leaving Rogers subscribers without any service. The importance of protecting networks from outside interference is not lost on Russian authorities. In 2019 they instructed telcos like Rostelecom to successfully test ‘Runet’, a Russian-only internet disconnected from the rest of the world.

MANRS promotes a series of actions that network operators should take to improve BGP security. These range from mitigations they consider compulsory, such as checking the correctness of announcements from customers, to others MANRS treat as recommendations, which includes anti-spoofing filtering of packets with incorrect source IP addresses and the adoption of Resource Public Key Infrastructure (RPKI) to cryptographically verify routing announcements. However, the verbal distinction between compulsory and recommended actions is a diplomatic way of working around the absence of legal force to compel network operators to implement all the controls that MANRS champions.

Sometimes the concept of national security is cited too liberally. It strikes me as odd that US President Joe Biden issued an executive order in March which used the words ‘national security’ on 20 occasions to refer to risks created by cryptocurrency but Apple, the largest company in the world by market capitalization, remains vulnerable to a BGP hijack. Even the most determined cybercriminal cannot use cryptocurrency to move and launder money if all their nation’s networks have been taken offline. Security is constructed like a building, from the foundations up. The lack of security surrounding internet routing needs at least as much attention as all the risks that only manifest when networks are accessible.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.