A hijack, the cause for which is still unknown, has resulted in sensitive data from the Royal Mail and UK’s Atomic Weapons Establishment to pass through Russia and Ukraine via unsecured connections
You’d think that the data from UK’s Nuclear weapons agency would be kept as far away from Russia as possible, right? Well, according to a report by DYN, that’s surprisingly not the case. For the past five days, web traffic originating from Texas, intended for certain addresses in the UK has been taking an unconventional route to its destination, through Ukraine and Russia. Detours are warranted only under specific conditions, such as connection difficulties or network congestion, however neither can account for such a lengthy alternative route.
Upon further research on the issue by Dyn's Doug Madory, who was responsible for discovering the redirection, it was found that this issue was caused due to a bad route announced by the Ukraine's Vega telecom. "At this point, I have to believe this was an innocent mistake by Vega, but it's concerning nonetheless." said Mr. Madory.
Commonly known as “route hijacking” by network engineers, this phenomenon isn’t anything out of the ordinary for security researchers, however the sensitive nature of the data and the locations involved makes this issue very alarming. The issue affected quite a few webpages, however one site stood out from the rest, UK’s Atomic Weapons Establishment (AWE) website. Yes, you read that right. We’re talking about the same AWE which is responsible for extremely sensitive tasks such as management and delivery of nuclear warheads and also the Royal Mail, which is UK’s official postal service. It’s pretty likely that you’ve head of Lockheed Martin, the US defense contractor. Even they got caught up in the reroute, with a VPN service which they were running.
There’s no cause for concern regarding the contents of the transmitted data via VPN and email as it’s encrypted, however anyone monitoring the email traffic would be able to pinpoint the locations of the I.P addresses the people involved in the conversation. What’s more alarming is that anyone listening in on unencrypted HTTP traffic (not HTTPS) would be able to access the contents of the traffic, and could even go on to inject malware into the stream and the cherry on top? Both the AWE and Royal Mail operate on the unsecured HTTP protocol leaving them both vulnerable to the aforementioned risks. DYN easily managed to find out when and how the hijack from the public routing table, however attempts to find out if any data had been altered or why the hijack occurred have been unfruitful.
There’s a possibility that the hijack was caused due to a simple oversight by Ukraine's Vega Telecom but the hack does highlight a major security concern in the global routing system. While there has been a lot of progress with regard to online security, with the most significant addition being the relatively new HTTPS protocol, routing is still a cause for concern. The routing system still works on trust; networks assign third traffic routes and other friendly networks just adopt them without question. This results in such hijacks lingering for days without either party having any knowledge of the potential security breach.
We’ve attached the full trace route below, where you can clearly see the traffic passing through Ukraine at Line 11 and Russia at lines 12 and 13.
Trace from Houston, TX to Atomic Weapons Establishment at 03:22 Mar 12, 2015
2. 126.96.36.199 ae12.dar02.sr02.hou02.networklayer.com 2.948
3. 188.8.131.52 ae9.bbr02.sr02.hou02.networklayer.com 0.3
4. 184.108.40.206 ae3.bbr02.eq01.dal03.networklayer.com 8.133
5. 220.127.116.11 ae1.bbr01.tl01.atl01.networklayer.com 28.524
6. 18.104.22.168 ae0.bbr01.eq01.wdc02.networklayer.com 42.033
7. 22.214.171.124 ae7.bbr02.eq01.wdc02.networklayer.com 40.167
8. 126.96.36.199 ae0.bbr01.eq01.ams02.networklayer.com 118.838
9. 188.8.131.52 ae0.bbr02.xn01.fra01.networklayer.com 124.983
10. 184.108.40.206 ae7.bbr01.xn01.fra01.networklayer.com 124.133
11. 220.127.116.11 edge-3-2-5-231.kiev.ucomline.net 154.988
12. 18.104.22.168 ae2-241.RT.NTL.KIV.UA.retn.net 155.174
13. 22.214.171.124 ae2-10.RT.TC2.LON.UK.retn.net 158.221
14. 126.96.36.199 linx1.ukcore.bt.net 161.442
15. 188.8.131.52 (BTnet inter-pop routes, GB) 166.986
16. 184.108.40.206 core1-pos1-1.birmingham.ukcore.bt.net 163.205
17. 220.127.116.11 vhsaccess1-pos7-0.birmingham.fixed.bt.net 164.139
18.104.22.168.254 (Atomic Weapons Establishment, GB) 177.4 "