Biz & IT —

Strange snafu hijacks UK nuke maker’s traffic, routes it through Ukraine

Lockheed, banks, and helicopter designer also affected by border gateway mishap.

Strange snafu hijacks UK nuke maker’s traffic, routes it through Ukraine
Dyn

Internet traffic for 167 important British Telecom customers—including a UK defense contractor that helps deliver the country's nuclear warhead program—were mysteriously diverted to servers in Ukraine before being passed along to their final destination.

The snafu may have allowed adversaries to eavesdrop on or tamper with communications sent and received by the UK's Atomic Weapons Establishment, one of the affected British Telecom customers. Other organizations with hijacked traffic include defense contractor Lockheed Martin, Toronto Dominion Bank, Anglo-Italian helicopter company AgustaWestland, and the UK Department for Environment, according to a blog post published Friday by researchers from Dyn, a firm that helps companies monitor and control their online infrastructure.

The diverted traffic appeared to be used to send e-mail and route virtual private networks, as well as for other purposes. As the picture above illustrates, the roundabout path caused the data to travel thousands of miles to the Ukrainian capital of Kiev before turning around, retracing that route, and being delivered to its normal hub in London. Unnecessarily sending the data to Kiev may have made it possible for employees with privileged network access to Ukrainian telecom provider Vega to monitor or tamper with data that wasn't encrypted end-to-end using strong cryptography. The hijacking of the Atomic Weapons Establishment, Lockheed, and the other 165 routes occurred over a 90-minute span on Thursday, while a handful of British Telecom customers experienced diverted traffic for five days beginning Saturday.

"The 167 hijacked prefixes (listed below) also included more innocuous networks like those of Pepsi Cola (165.197.56.0/22) and Wal-Mart UK (161.163.166.0/24 and 161.163.177.0/24)," Dyn Director of Internet analysis Doug Madory wrote. "However, these networks do host domains with 'VPN' and 'mail' in their names, implying they provide important services for these companies. Does this list represent some curious mistake or something more? Either way, it redirected a portion of Internet traffic bound for networks, at a minimum resulting in poor performance for some customers."

It's not the first time that significant chunks of Internet traffic have been diverted to distant locations for unexplained reasons. In late 2013, Dyn researchers reported that data belonging to financial institutions, government agencies, and network service providers were mysteriously redirected to routers at Belarusian or Icelandic service providers. The hijackings occurred during at least 38 distinct events over a nine-month span that began in February of that year.

The diversions are the result of the implicit trust placed in the border gateway protocol used to exchange data between large service providers and their customers, which include financial institutions, governments, network service providers, pharmaceutical and aerospace companies, and other sensitive organizations. As Ars explained in November, 2013:

The ease of altering or deleting authorized BGP routes, or of creating new ones, has long been considered a potential Achilles Heel for the Internet. Indeed, in 2008, YouTube became unreachable for virtually all Internet users after a Pakistani ISP altered a route in a ham-fisted attempt to block the service in just that country. Later that year, researchers at the Defcon hacker conference showed how BGP routes could be manipulated to redirect huge swaths of Internet traffic. By diverting it to unauthorized routers under control of hackers, they were then free to monitor or tamper with any data that was unencrypted before sending it to its intended recipient with little sign of what had just taken place.

"This year, that potential has become reality," Renesys researcher Jim Cowie wrote. "We have actually observed live man-in-the-middle (MitM) hijacks on more than 60 days so far this year. About 1,500 individual IP blocks have been hijacked, in events lasting from minutes to days, by attackers working from various countries."

At least one unidentified voice-over-IP provider has also been targeted. In all, data destined for 150 cities have been intercepted. The attacks are serious because they affect the Internet equivalents of a US interstate that can carry data for hundreds of thousands or even millions of people. And unlike the typical BGP glitches that arise from time to time, the attacks observed by Renesys provide few outward signs to users that anything is amiss.

"The recipient, perhaps sitting at home in a pleasant Virginia suburb drinking his morning coffee, has no idea that someone in Minsk has the ability to watch him surf the Web," Cowie wrote. "Even if he ran his own traceroute to verify connectivity to the world, the paths he'd see would be the usual ones. The reverse path, carrying content back to him from all over the world, has been invisibly tampered with."

The full list of 167 customers affected is:

212.162.232.0/24 Cofunds Ltd (GB)
148.253.220.0/23 Department for Environment, Food and Rural Affairs (DEFRA) (GB)
61.28.211.0/24 Servcorp (GB)
86.128.0.0/11 BT Infrastructure Layer (GB)
86.128.0.0/12 BT Infrastructure Layer (GB)
193.32.254.0/24 Marks and Spencer PLC (GB)
194.70.94.0/24 Dabs Direct PLC (GB)
148.252.5.0/24 Department for Environment, Food and Rural Affairs (DEFRA) (GB)
37.235.123.0/24 Submission Technology Ltd (GB)
194.169.34.0/24 AgustaWestland Ltd (GB)
81.128.0.0/12 BT Infrastructure Layer (GB)
143.159.0.0/16 INFONET Services Corporation (GB)
147.148.0.0/14 Various Registries (Maintained by ARIN) (GB)
193.46.221.0/24 Continental DataGraphics Ltd (GB)
132.153.3.0/24 Atomic Weapons Establishment (GB)
194.169.69.0/24 BUILDING DESIGN PARTNERSHIP LIMITED (GB)
91.230.16.0/24 Dairy Crest Ltd (GB)
193.32.48.0/24 Virgin Money plc (GB)
193.36.240.0/24 Allen and Overy LLP (GB)
192.19.187.0/24 Avago Technologies U.S. Inc. (GB)
31.48.0.0/13 BT Public Internet Service (GB)
195.171.0.0/16 BT Public Internet Service (GB)
132.153.254.0/24 Atomic Weapons Establishment (GB)
213.120.0.0/14 BT Public Internet Service (GB)
91.223.126.0/24 Evolving Systems Limited (GB)
116.66.140.0/22 Cognizant Technology Solution India Pvt Ltd, India (GB)
81.128.0.0/11 BT Public Internet Service (GB)
195.182.62.0/24 The Football Association Ltd (GB)
185.30.8.0/22 Satellite Applications Catapult Limited (GB)
86.128.0.0/10 BT Public Internet Service (GB)
147.152.0.0/16 British Telecommunications PLC (GB)
162.62.136.0/22 Adaptec, Inc. (GB)
193.28.232.0/24 TEVA UK HOLDINGS LIMITED (GB)
193.238.232.0/24 Pinewood Technologies Plc (GB)
194.36.55.0/24 Hogg Robinson PLC (GB)
196.4.50.0/24 Uniserv Group (GB)
194.33.160.0/24 Office of Communications (GB)
161.163.177.0/24 Wal-Mart Stores, Inc. (GB)
194.130.197.0/24 MAID PLC (GB)
192.65.44.0/24 Tektronix, Inc. (GB)
192.189.160.0/24 Lafarge Tarmac Holdings Limited (GB)
132.153.252.0/24 Atomic Weapons Establishment (GB)
193.195.138.0/24 Telme Online Limited (GB)
193.33.244.0/24 AAH Pharmaceuticals Ltd (GB)
132.153.251.0/24 Atomic Weapons Establishment (GB)
198.200.211.0/24 Curtis Instruments, Inc. (GB)
193.46.76.0/24 Shire Pharmaceuticals Limited (GB)
144.98.0.0/16 RWE NPower (GB)
84.23.0.0/19 Biznet IIS Ltd. (GB)
158.234.0.0/16 CGI IT UK Ltd. (GB)
193.35.197.0/24 British Telecommunications PLC (GB)
194.60.136.0/24 Cornwall Council (GB)
146.174.170.0/23 Quantum Corporation (GB)
167.26.157.0/24 CIBC World Markets (GB)
109.205.158.0/24 BONTBLOCK (GB)
5.81.0.0/16 BT Infrastructure Layer (GB)
162.10.0.0/19 Doculynx Inc. (GB)
158.155.253.0/24 Computer Generation (GB)
165.197.56.0/22 Pepsi-Cola International (GB)
193.37.142.0/24 CSC IT Ltd (GB)
148.252.3.0/24 Department for Environment, Food and Rural Affairs (DEFRA) (GB)
193.113.0.0/16 British Telecommunications PLC (GB)
194.36.248.0/24 WWRD United Kingdom Ltd (GB)
193.37.160.0/24 BT Public Internet Service (GB)
91.198.255.0/24 Sandwell Metropolitan Borough Council (GB)
192.65.227.0/24 British Telecommunications PLC (GB)
5.53.64.0/19 SAS Global Communications Ltd. (GB)
132.153.244.0/24 Atomic Weapons Establishment (GB)
170.136.115.0/24 Viad Corp (GB)
194.59.188.0/24 WCMC 2000 (GB)
194.132.25.0/24 WSP Europe (GB)
195.99.0.0/16 BT Public Internet Service (GB)
192.152.14.0/24 Aircraft Research Association Limited (GB)
159.10.208.0/22 CNA Insurance (GB)
199.181.156.0/24 ARC - Chicago (GB)
132.153.246.0/24 Atomic Weapons Establishment (GB)
192.65.224.0/24 British Telecommunications PLC (GB)
94.72.248.0/21 KCOM BT sub-allocation (GB)
193.238.233.0/24 Pinewood Technologies Plc (GB)
193.219.122.0/24 Significant (UK) Ltd (GB)
80.247.56.0/23 PGDS UK ONE - BT Internet - PG1 DC (GB)
192.65.228.0/24 British Telecommunications PLC (GB)
192.65.226.0/24 British Telecommunications PLC (GB)
194.169.32.0/24 AgustaWestland Ltd (GB)
204.124.211.0/24 Fruit of the Loom, Inc. (GB)
194.169.32.0/20 AgustaWestland Ltd (GB)
148.253.4.0/22 Department for Environment, Food and Rural Affairs (DEFRA) (GB)
194.132.24.0/24 WSP Europe (GB)
194.169.22.0/24 Isoft Health Ltd (GB)
132.153.247.0/24 Atomic Weapons Establishment (GB)
194.34.174.0/24 Allianz Insurance plc (GB)
161.163.166.0/24 Wal-Mart Stores, Inc. (GB)
195.8.202.0/23 Significant (UK) Ltd (GB)
192.31.31.0/24 British Telecommunications PLC (GB)
192.28.124.0/24 Lockheed Martin Corporation (GB)
212.140.0.0/16 BT Public Internet Service (GB)
193.195.7.0/24 Thus PLC t/a Demon Internet (GB)
192.19.199.0/24 Avago Technologies U.S. Inc. (GB)
91.233.33.0/24 Metropolitan Networks UK Ltd (GB)
192.65.222.0/24 British Telecommunications PLC (GB)
159.180.96.0/19 BT-CENTRAL-PLUS (GB)
165.120.0.0/16 BT Public Internet Service (GB)
155.202.124.0/22 SANTANDER UK PLC (GB)
150.147.68.0/24 Data Research Associates, Inc. (GB)
132.146.0.0/16 British Telecommunications PLC (GB)
109.144.0.0/12 BT Public Internet Service (GB)
159.253.66.0/23 KCOM Group Public Limited Company (GB)
142.205.161.0/24 Toronto Dominion Bank (GB)
62.7.0.0/16 BT Public Internet Service (GB)
62.239.0.0/16 British Telecommunications PLC (GB)
194.36.128.0/24 Hitachi Europe Ltd (GB)
194.32.3.0/24 Northern Ireland Civil Service (GB)
170.136.116.0/24 Viad Corp (GB)
217.32.0.0/12 BT Public Internet Service (GB)
192.65.219.0/24 British Telecommunications PLC (GB)
194.169.33.0/24 AgustaWestland Ltd (GB)
213.1.0.0/16 BT Public Internet Service (GB)
62.6.0.0/16 BT Public Internet Service (GB)
5.80.0.0/15 BT Public Internet Service (GB)
195.244.16.0/24 Websense SC Operations Limited (GB)
91.227.78.0/24 Ashridge (Bonar Law Memorial) Trust (GB)
194.169.36.0/24 AgustaWestland Ltd (GB)
193.131.115.0/24 Eurodollar (UK) Limited (GB)
192.65.223.0/24 British Telecommunications PLC (GB)
212.70.68.0/23 Intuitiv Ltd. (GB)
194.169.79.0/24 BUILDING DESIGN PARTNERSHIP LIMITED (GB)
132.153.250.0/24 Atomic Weapons Establishment (GB)
80.247.0.0/20 Net Energy Internet Ltd. (GB)
195.35.123.0/24 Toshiba Information Systems (UK) Ltd (GB)
194.130.196.0/24 MAID PLC (GB)
194.34.211.0/24 The Statistics Board (GB)
85.235.107.0/24 DMZ at Bacton. (GB)
146.198.0.0/16 INFONET Services Corporation (GB)
82.132.188.0/22 O2 Reference (UK) (GB)
194.72.0.0/14 BT Public Internet Service (GB)
213.249.188.0/22 KCOM Group Public Limited Company (GB)
194.34.210.0/24 The Statistics Board (GB)
194.34.205.0/24 The Statistics Board (GB)
192.65.225.0/24 British Telecommunications PLC (GB)
132.153.245.0/24 Atomic Weapons Establishment (GB)
132.153.253.0/24 Atomic Weapons Establishment (GB)
132.153.249.0/24 Atomic Weapons Establishment (GB)
162.116.126.0/24 Allergan, Inc. (GB)
91.247.73.0/24 Unipath Limited (GB)
145.229.0.0/16 Northern Ireland Civil Service (GB)
192.65.221.0/24 British Telecommunications PLC (GB)
149.223.0.0/16 TRW Automotive (GB)
194.169.35.0/24 AgustaWestland Ltd (GB)
167.26.158.0/24 CIBC World Markets (GB)
159.197.13.0/24 NATS (GB)
62.172.0.0/16 BT Public Internet Service (GB)
212.162.230.0/24 Royal Bank of Scotland plc (GB)
216.222.222.0/24 Smith and Nephew - Endoscopy (GB)
193.102.37.0/24 Softlab GmbH, Muenchen (GB)
194.102.0.0/19 British Telecommunications PLC (GB)
193.32.39.0/24 Sir Robert McAlpine Ltd (GB)
192.156.169.0/24 Syntellect Inc. (GB)
171.30.128.0/17 Global Crossing VHSDR service (GB)
132.153.248.0/24 Atomic Weapons Establishment (GB)
194.34.209.0/24 The Statistics Board (GB)
193.36.253.0/24 Allen and Overy LLP (GB)
195.95.131.0/24 NCC Services Ltd (GB)
152.134.0.0/16 SIX CONTINENTS LIMITED (GB)
61.28.219.0/24 Servcorp (GB)
194.34.223.0/24 Allianz Insurance plc (GB)
167.26.159.0/24 CIBC World Markets (GB)
193.39.141.0/24 AWE PLC (GB)

A chart provided by Dyn showed that about a quarter of the Internet's large providers observed the roundabout path advised for Royal Mail Group, Limited, one of 14 groups with hijacked traffic that started Saturday. Well under 10 percent of large Internet providers observed the circuitous route Vega advised for the Atomic Weapons Establishment during the much shorter 90-minute window that diversion lasted. It's not clear if a similarly small portion of providers recognized the path advertised for the other 166 BT customers affected. Still, the diversion is significant given the number and stature of those customers.

Channel Ars Technica