Google has been hit by an attack that the re-routed the firm’s global internet traffic through servers located in Russia, China and Nigeria.
Security experts have spoken out about the data diversion, which they believe was part of a ‘wargame experiment’ being run by the three nations involved.
Information from Google searches, cloud-hosting services and the company’s bundle of collaboration tools for businesses – known as G Suite – were all affected.
Google is downplaying the incident, described by one expert as the ‘worst ever’ in the firm’s history, saying it does not believe it was malicious.
The firm has yet to confirm the exact nature of the data affected, as well as how many users have been put at risk, with millions potentially in the firing line.
Experts are concerned about the prospect of the nations involved gaining access to users’ private data by monitoring re-routed traffic.
The attack may also be a sign of things to come as cyber warfare steps up between the West and its global competitors.
Google has been hit by an attack that the re-routed the firm’s global internet traffic through servers located in Russia, China and Nigeria. Security experts have spoken out about the data diversion, which they believe was part of a ‘wargame experiment’
The diversion ‘at a minimum caused a massive denial of service to G Suite and Google Search’ and ‘put valuable Google traffic in the hands of ISPs in countries with a long history of Internet surveillance,’ the network intelligence company ThousandEyes said in a blog post.
Service interruptions lasted for nearly one and a half hours and ended about 10:30pm GMT (5:30pm EST), the network service companies said.
In addition to Russian and Chinese telecommunications firms, a Nigerian internet service provider (ISP) was also involved.
A Google status page noted that ‘access to some Google services was impacted’ and said the cause was ‘external to Google.’ The company offered little additional information.
MailOnline has contacted Google for a comment but had not received a reply at the time of publication.
The type of traffic misdirection employed, known as border gateway protocol (BGP) hijacking, can knock essential services offline and facilitate espionage and financial theft.
It can result either from misconfiguration – human error, essentially – or from malicious action.
A Google status page noted that ‘access to some Google services was impacted’ and said the cause was ‘external to Google’
WHAT IS BGP HIJACKING?
Border gateway protocol (BGP) hijacking is when attackers maliciously reroute Internet traffic.
Attackers accomplish this by falsely announcing ownership of groups of IP addresses, called IP prefixes, that they do not actually own, control, or route to.
A BGP hijack is much like if someone were to change out all the signs on a stretch of freeway and reroute automobile traffic onto incorrect exits.
Because BGP is built on the assumption that interconnected networks are telling the truth about which IP addresses they own, BGP hijacking is nearly impossible to stop.
Border gateway protocol (BGP) hijacking is when attackers maliciously reroute Internet traffic. A BGP hijack is much like if someone were to change out all the signs on a stretch of freeway and reroute automobile traffic onto incorrect exits
Imagine if no one was watching the freeway signs, and the only way to tell if they had been maliciously changed was by observing that a lot of automobiles were ending up in the wrong neighbourhoods.
However, for a hijack to occur, attackers need to control or compromise a BGP-enabled router that bridges between one autonomous system (AS) and another, so not just anyone can carry out a BGP hijack.
When an AS announces a route to IP prefixes that it does not actually control, this announcement, if not filtered, can spread and be added to routing tables in BGP routers across the Internet.
From then until somebody notices and corrects the routes, traffic to those IPs will be routed to that AS.
It would be like claiming territory if there were no local government to verify and enforce property deeds.
Most network traffic to Google services – 94 per cent as of October 27 – is encrypted, which shields it from prying eyes even if diverted.
Alex Henthorn-Iwane, an executive at ThousandEyes, called Monday’s incident the worst affecting Google that his San Francisco company has seen.
He said he suspected nation-state involvement because the traffic was effectively landing at state-run China Telecom.
A recent study by U.S. Naval War College and Tel Aviv University scholars found that China systematically hijacks and diverts U.S. internet traffic.
Google said it had no reason to believe the traffic hijacking was malicious. It did not explain why.
This graphic shows traffic from network intelligence company ThousandEyes in San Francisco being re-routed through China
Much of the internet’s underpinnings are built on trust, a relic of the good intentions its designers assumed of users.
One consequence: little can be done if a nation-state or someone with access to a major internet provider – or exchange – decides to reroute traffic.
Mr Henthorn-Iwane says Monday’s hijacking may have been ‘a war-game experiment.’
In two recent cases, such rerouting has affected financial sites. In April 2017, one affected MasterCard and Visa among other sites. This past April, another hijacking enabled cryptocurrency theft.
The Department of Homeland Security did not immediately respond to a request for comment.
ThousandEyes named the companies involved in Monday’s incident, in addition to China Telecom, as the Russian internet provider Transtelecom and the Nigerian ISP MainOne.
Both ThousandEyes and the U.S. network monitoring company BGPmon said the internet traffic detour originated with the Nigerian company. Neither was ready to more definitively pinpoint the cause.