Key traffic across the internet has been “hijacked” several times this year and deliberately routed through locations in, first, Belarus and then Iceland.

The hijackings – or “network interceptions” – were targeted at specific cities and are thought to have been launched with the aim of examining financial information.
That is the claim of network performance management firm Renesys, which monitors internet traffic on behalf of clients.
In a blog posting explaining the attacks, it claimed: “We have actually observed live man-in-the-middle (MITM) hijacks on more than 60 days so far this year.

About 1,500 individual IP blocks have been hijacked, in events lasting from minutes to days, by attackers working from various countries.”
The company has produced a map of 150 cities in which it has observed at least one victim of this man-in-the-middle attack. Two cities in the UK were also targeted – what appears to be Newcastle and Bristol, but not London – which may undermine the company’s theory that the purpose of the attacks were solely financial.
The victims of the attacks have included financial institutions, providers of voice-over-IP networks and governments, claimed Renesys.
“What makes a man-in-the-middle routing attack different from a simple route hijack? Simply put, the traffic keeps flowing and everything looks fine to the recipient.

The attackers keep at least one outbound path clean.

After they receive and inspect the victim’s traffic, they release it right back onto the internet, and the clean path delivers it to its intended destination.
“If the hijacker is in a plausible geographic location between the victim and its counter-parties, they should not even notice the increase in latency that results from the interception. It’s possible to drag specific internet traffic halfway around the world, inspect it, modify it if desired, and send it on its way. Who needs fibre-optic taps?” asks Renesys.
The attacks started in February 2013, the company said, when a sequence of events lasting from a few minutes to a few hours saw particular internet traffic diverted via Belarusian internet service provider GlobalOneBel.
“These redirections took place on an almost daily basis throughout February, with the set of victim networks changing daily. Victims whose traffic was diverted varied by day, and included major financial institutions, governments, and network service providers.

Affected countries included the US, South Korea, Germany, the Czech Republic, Lithuania, Libya, and Iran,” claimed Renesys.
[Please turn to page 2]

Leave a Reply