Russia and China's 'attack on Google': Virtual wargame 'experiment' hits search giant with 'worst ever' internet hijack that intercepted search, cloud and business services

  • An internet traffic diversion disrupted Google services and re-routed its data 
  • Major internet providers in China and Russia intercepted data from Google users
  • Attack may prelude more wide-scale attacks from the nations involved in future
  • Interruptions lasted for nearly 1.5 hours until 10:30pm GMT (5:30pm EST) 
  • Google said it had no reason to believe the traffic hijacking was malicious 

Google has been hit by the 'worst ever' internet hijack in the company's history, security experts say.

Information from users' Google searches, cloud-hosting services and the company's bundle of collaboration tools for businesses - known as G Suite - were all affected.

Data belonging to users across the globe was intercepted by servers in Nigeria, China and Russia - including those run by major state-owned telecoms providers.

Security experts suggested the hack was a 'wargame experiment' - meaning it may prelude similar, more wide-scale attacks from the nations involved in future.

Google downplayed Monday's incident, however, saying it did not believe it was malicious, but failed to allay fears that the personal data of millions of users had been compromised.

The company is under increasing pressure to protect users after a string of high-profile data leaks, including last month's breach of its Google+ social network, which exposed the private information of an estimated 500,000 people.

The type of traffic misdirection employed in the latest incident, known as border gateway protocol (BGP) hijacking, can knock essential services offline and facilitate espionage and financial theft.

It can result either from misconfiguration - human error, essentially - or from malicious action.

In two recent cases, traffic rerouting has hit financial sites, potentially exposing people's private data to malicious hackers.

In April 2017, a state-owned Russian Telecoms firm hijacked the traffic of MasterCard and Visa, allowing them enumerate who was initiating connections.

This past April, another hijacking enabled hackers to steal $152,000-worth (£118,000) of the cryptocurrency Ether from users of the website EtherWallet.com.

Scroll down for video 

Google network traffic normally travels through vetted service providers. A US-based Chinese 'Point of Presence' (PoP) - a legal internet access point that allows Chinese citizens to access US sites - intercepted this data and sent it to China Telecoms

Google network traffic normally travels through vetted service providers. A US-based Chinese 'Point of Presence' (PoP) - a legal internet access point that allows Chinese citizens to access US sites - intercepted this data and sent it to China Telecoms

This image shows an outage map of Google service in the US. Interruptions lasted for nearly one and a half hours and ended about 10:30pm GMT (5:30pm EST), network service companies said

This image shows an outage map of Google service in the US. Interruptions lasted for nearly one and a half hours and ended about 10:30pm GMT (5:30pm EST), network service companies said

Traffic was was intercepted by servers in Nigeria, China and Russia - including those run by major state-owned telecoms providers

Traffic was was intercepted by servers in Nigeria, China and Russia - including those run by major state-owned telecoms providers

This graphic shows traffic from network intelligence company ThousandEyes in San Francisco being re-routed through China

This graphic shows traffic from network intelligence company ThousandEyes in San Francisco being re-routed through China

Google service interruptions lasted for nearly one and a half hours and ended about 10:30pm GMT (5:30pm EST) on Monday, network service companies said.

Network intelligence company ThousandEyes uncovered the hijack.

Alex Henthorn-Iwane, an executive at ThousandEyes, called Monday's incident the worst affecting Google that his San Francisco company has seen.

He said he suspected nation-state involvement because the traffic was effectively landing at state-run China Telecom.

A recent study by U.S. Naval War College and Tel Aviv University scholars found that China systematically hijacks and diverts U.S. internet traffic.

ThousandEyes named the companies involved in Monday's incident, in addition to China Telecom, as the Russian internet provider Transtelecom and the Nigerian ISP MainOne.

According to Professor Alan Woodward, a computer scientist at the University of Surrey, the hijack could have been part of an elaborate surveillance scheme.

He told MailOnline: 'Access to people's data is a "strategic asset" for surveillance, and Russia and China have carried out hijack attacks to collect that data before.

People took to Twitter to vent their frustrations, with one user writing 'I have no idea what to do with my life'

People took to Twitter to vent their frustrations, with one user writing 'I have no idea what to do with my life'

Some users asked if the 'whole internet' went down during the outage, which was caused by what security experts fear was the 'worst ever' internet hijack in the company's history

Some users asked if the 'whole internet' went down during the outage, which was caused by what security experts fear was the 'worst ever' internet hijack in the company's history

'Most data like your online messages are encrypted, meaning anyone with access to that data could not easily read them.

'But while they could not read the messages themselves, they could track who talked to whom, when, and for how long.

'This would be useful information to help build up intelligence data on high-profile individuals of interest to foreign governments.'

Both ThousandEyes and the U.S. network monitoring company BGPmon said the internet traffic detour originated with the Nigerian company MainOne.

WHAT DO WE KNOW ABOUT THE COMPANIES INVOLVED IN THE GOOGLE HIJACK?

China Telecom 

China Telecom is a state-owned telecommunication company and the third lrgest mobile telecoms provider in China.

The company is embedded in North American networks, with 10 points-of-presence (PoP) access points spanning major internet exchange locations.

China Telecom has two PoPs in Canada, and eight in the United States. 

Researchers reported in October that Chinese telecom firms had been hijacking internet traffic on a regular basis.

Chris Demchak of the United States Naval War College and Yuval Shavitt of the Tel Aviv University in Israel traced global border gateway protocol (BGP) announcements.

They discovered several attacks by state-run China Telecom over the past few years, according to reports in Secure Reading.

They found that China redirected traffic between Canada and Korean government networks to its point of presence (PoP) in Toronto for six months in 2016.

A recent study by U.S. Naval War College and Tel Aviv University scholars says China systematically hijacks and diverts U.S. internet traffic.  

Trans Telecom

Trans Telecom is a state-owned Russian telecommunications company that owns one of the largest networks in the world of fibre optical cables. 

The company is a full subsidiary of Russian national railway operator, Russian Railways. 

TTK has been actively connecting broadband users in the retail market since early 2011.

In 2017, internet analysts began noticing routing databases picking up TransTeleCom-provided connections for North Korea.

North Korea has been blamed by Western governments for several major cyber attacks in recent years, including against banks and Sony Pictures.

TransTeleCom would not confirm any routing deal with the country.

But, analysts said the connection via Russia was handling around 60 per cent of the country's internet traffic. 

ISP MainOne

MainOne is West Africa's connectivity and data centre.

The company provides network, internet solutions and cloud services to providers in Nigeria, Ghana and all of West Africa.

Since its launch in 2010, MainOne has developed a reputation for reliable service, becoming the major provider of wholesale internet services to major telecom operators and government agencies.

The leak started when the cable company based in Lagos, Nigeria suddenly updated tables in the Internet’s global routing system to improperly declare that its autonomous system was the proper path to reach prefixes belonging to Google.

Within minutes, Chine Telecom accepted the route, followed by Russian-based Transtelecom.

MainOne has a peering relationship with Google via IXPN in Lagos and has direct routes to Google, which may have led to the leak.

Advertisement
Google users reported that video site YouTube, which is owned by Google, would not load videos. Additionally, services linked to Nest, a smart home technology company also run by Google, were down on Monday

Google users reported that video site YouTube, which is owned by Google, would not load videos. Additionally, services linked to Nest, a smart home technology company also run by Google, were down on Monday

On Twitter, BGPmon wrote: 'Appears that Nigerian 'MainOne Cable Company' leaked many prefixes to China telecom, who then advertised it to AS20485 TRANSTELECOM (russia). From there on others appear to have picked this up.'

Neither was ready to more definitively pinpoint the cause.

On Twitter, MainOne claimed the reroute was caused by an error during a planned network upgrade.

The company wrote: 'We have investigated the advertisement of Google prefixes through one of our upstream partners.

'This was an error during a planned network upgrade due to a misconfiguration on our BGP filters.

'The error was corrected within 74mins & processes put in place to avoid reoccurrence.'

Yuval Shavitt, a network security researcher at Tel Aviv University, said it was still very possible that Monday’s issue was not an accident, despite the firm's statement.

'You can always claim that this is some kind of configuration error,' said Professor Shavitt, who last month co-authored a paper alleging that the Chinese government had conducted a series of internet hijacks.

Some users suggested the downtime was caused by a mishap with the company's border gateway protocol (BGP) management. BGPs help direct internet traffic between two points

Some users suggested the downtime was caused by a mishap with the company's border gateway protocol (BGP) management. BGPs help direct internet traffic between two points

Users were unable to use Google's search engine during the outage, triggering a wave of outrage on Twitter

Users were unable to use Google's search engine during the outage, triggering a wave of outrage on Twitter

Professor Woodward told MailOnline that because the hijack caused people's web services to shut down, the incident was likely the result of human error.

Similar attacks have previously allowed people to continue using the hijacked service so as not to raise suspicion, though Professor Woodward added that experts 'could not definitively rule out a malicious attack'. 

Regardless of the source, the leak put the traffic of users into foreign hands, researchers said.

The diversion 'at a minimum caused a massive denial of service to G Suite and Google Search' and 'put valuable Google traffic in the hands of ISPs in countries with a long history of Internet surveillance,' ThousandEyes said in a blog post.  

A Google spokesperson told MailOnline: 'We're aware that a portion of internet traffic was affected by incorrect routing of IP addresses, and access to some Google services was impacted.

'The root cause of the issue was external to Google and there was no compromise of Google services.' 

HOW CHINA ROUTINELY HIJACKS GLOBAL INTERNET TRAFFIC

Researchers reported in October that a Chinese telecoms firms had been hijacking internet traffic on a regular basis.

Chris Demchak of the United States Naval War College and Yuval Shavitt of the Tel Aviv University in Israel traced global border gateway protocol (BGP) announcements.

They discovered several attacks by state-run China Telecom over the past few years, according to reports in Secure Reading.

They found that China redirected traffic between Canada and Korean government networks to its point of presence (PoP) in Toronto for six months in 2016. 

Internet traffic normally takes a short route which is through Canada, the U.S and then to Korea.

Traffic between Scandinavia and Japan was also hijacked between April and May 2017.

PoPs manage traffic between all the smaller networks called autonomous systems (AS).

China has ten PoPs in North America, but it doesn't allow any foreign country PoPs in their country.

The traffic between two autonomous systems are managed with the help of Border Gateway Protocol (BGP).

BGP hijacks can also occur by mistake if this system is set up incorrectly.  

Most of BGP hijacking attacks nowadays are the work of government agencies or criminal organisations with access or control of strategically placed ISPs, experts warn.

'Building a successful BGP hijack attack is complex, but much easier with the support of a complicit and preferably large scale ISP that is more likely to be included as a central transit point among a sea of ASs,' the report said. 

'China Telecom has ten strategically placed, Chinese controlled internet 'points of presence'4 (PoPs) across the internet backbone of North America.'

'Vast rewards can be reaped from the hijacking, diverting, and then copying of information-rich traffic going into or crossing the United States and Canada – often unnoticed and then delivered with only small delays.'  

The full findings of the study were published in the Journal of the Military Cyber Professionals Association.

Advertisement

The company has offered little additional information. 

Much of the internet's underpinnings are built on trust, a relic of the good intentions its designers assumed of users.

One consequence: Little can be done if a nation-state or someone with access to a major internet provider - or exchange - decides to reroute traffic.

Mr Henthorn-Iwane said Monday's hijacking may have been 'a war-game experiment.'

The theory was backed by Professor Woodward, who said a global hijack attack could have been carried out by Russia and/or China 'simply to see if they could'.

He told MailOnline: 'We all rely on the internet nowadays - why hit a country with bombs and bullets if you can disrupt their web access?  It would cause chaos.' 

Google has been hit by an attack that the re-routed the firm's global internet traffic through servers located in Russia, China and Nigeria (stock image)

Google has been hit by an attack that the re-routed the firm's global internet traffic through servers located in Russia, China and Nigeria (stock image)

Researchers also reported in October that a Chinese telecoms firm had been hijacking internet traffic on a regular basis.

Chris Demchak of the United States Naval War College and Yuval Shavitt of the Tel Aviv University in Israel traced global border gateway protocol (BGP) announcements.

They discovered several attacks by state-run China Telecom over the past few years, according to reports in Secure Reading.

They found that China redirected traffic between Canada and Korean government networks to its point of presence (PoP) in Toronto for six months in 2016. 

Google is downplaying the incident, described by one expert as the 'worst ever' in the firm's history (stock)

Google is downplaying the incident, described by one expert as the 'worst ever' in the firm's history (stock)

The comments below have not been moderated.

The views expressed in the contents above are those of our users and do not necessarily reflect the views of MailOnline.

We are no longer accepting comments on this article.