For the past week sensitive internet data from the UK’s Atomic Weapons Establishment and other sensitive information was being sent through Ukraine and Russia by an apparent accident.
For the past week, something strange has been going on in the European internet. For five days, web traffic from Texas to certain addresses in the UK has been routed through Ukrainian and Russian telecoms, taking a detour thousands of miles out of the way. Network traffic often takes a circuitous route as a result of network congestion or interconnection difficulties, but neither one would be enough to account for these routes. Instead, this was the result of a bad route announced by Ukraine’s Vega telecom, inserting itself in between. “At this point, I have to believe this was an innocent mistake by Vega,” said Dyn’s Doug Madory, who first discovered the redirection, “but it’s concerning nonetheless.”
This phenomenon is known as “route hijacking,” and it’s a common security concern for network engineers and security researchers alike. It’s particularly disconcerting because of the sensitive nature of many of the sites involved. Among the dozens of sites involved was the UK’s Atomic Weapons Establishment, which is tasked with managing and delivering the UK’s nuclear warheads, as well as the UK’s official mail service, the Royal Mail. US defense contractor Lockheed Martin was also running a VPN connection that was caught up in the redirection.
VPN traffic would have been encrypted, as well as almost all email traffic, but anyone listening in on email traffic would have been able to read the IP addresses of the parties involved. Even worse, any site serving data over unencrypted HTTP would have been entirely in the clear, and potentially exposed to injection attacks by a malicious third party with access to an intermediate network. (Both AWE and Royal Mail serve their sites over unencrypted HTTP.) Because of the public nature of the routing table, it’s easy to see exactly when and how the route hijacking occurred, but why is still a mystery, and we can’t say for sure whether any data was altered in transit.
It’s still likely that the redirection was simply an innocent error, but it underscores the insecure nature of the global routing system. While much of the web has grown more wary of digital attack, routing is still based on trust, with networks freely announcing routes and friendly telecoms adopting them as a matter of habit. As a result, inefficient and potentially insecure routes like this one can linger for days without being corrected, without the parties involved ever being aware of them.