Ethernet cables are seen running from the back of a wireless router in Washington, D.C. on March 21, 2019. (Mandel Ngan/AFP/Getty Images)

China Telecom Rerouted European Mobile Traffic Through China for Two Hours

Millions of smartphone users in Europe—Switzerland, Holland and France—were unable to download or upload files on their devices for more than two hours on June 6. Experts from U.S. tech company Oracle investigated and found that Chinese state-owned telecommunications company China Telecom “hijacked” the mobile traffic, a type of hacking which is called Border Gateway Protocol (BGP) hijacking.

Europe Incident

Those who used mobile telecom services from Swiss Swisscom, Dutch KPN, French Bouygues Telecom, and Numericable-SFR discovered that their smartphones were not operating normally due to the extremely low data-transferring speed during lunch break on June 6.

“Often, routing incidents like this only last for a few minutes, but in this case, many of the leaked routes in this incident were in circulation for over two hours,” Doug Madory, director of Internet Analysis at Oracle Dyn Global Business Unit, wrote in his analysis report after the BGP hijacking.

Madory explained: “Swiss data center colocation company Safe Host leaked over 70,000 routes to China Telecom in Frankfurt, Germany. China Telecom then announced these routes [as its own routes],” and redirected “large amounts of internet traffic destined for some of the largest European mobile networks through China Telecom’s network.”

Madory pointed out that mobile data from the affected European smartphone users were not going to their destined PoP (point-of-presence), but to China. Madory did not say whether China Telecom had copied or used this mobile data, but pointed out that the company is dangerous because BGP hijacking can affect an entire region’s internet connection.

BGP is one of the internet’s most important protocols. Most internet service providers (ISP) use BGP to set up how packets of data are routed across the internet. By using the same protocol, the ISP can connect with all other ISPs that use the same BGP. PoP is the interface point, where the data from internet users connect to the ISP’s main network.

BGP hijacking means customers’ data has entered the ISP’s main network from the nearest PoP, but has not been transferred to the PoP closest to its desired destination. In this situation, users will experience their data transferring significantly slowing down or stalling.

China Telecom’s Past Attacks

China Telecom is China’s third-largest telco and ISP. It was involved in BGP hijackings several times in recent years, especially in the United States through eight PoPs, and two PoPs in Canada, according to two scholars’ report in 2018.

Chris C. Demchak from the U.S. Naval War College, and Yuval Shavitt from Tel Aviv University had co-authored a report published in the Journal of the Military Cyber Professionals Association, explaining how they concluded that China Telecom’s past BGP hijackings were intentional.

Demchak and Shavitt wrote in their report that China Telecom hijacked routes from Canadian and South Korean government sites for about six months starting in February 2016.

On October 2016, China Telecom hijacked the internet traffic from several American locations to Anglo American bank headquarters in Milan, Italy.

About six weeks between April and May 2017, China Telecom had hijacked data that was sent out from Sweden and Norway to a large American news organization’s Japanese network.

And Madory had conducted another analysis of a BGP hijacking on Nov. 6, 2014. After Russian mobile provider Vimpelcom and China Telecom signed a network sharing agreement and established a BGP peer relationship in September 2013, China Telecom had leaked Vimpelcom’s routes, and redirected the data from Russia to China over a dozen times.

Potential Threat

The scholars’ report concluded: “That imbalance in access allows for malicious behavior by China through China Telecom at a time and place of its choosing, while denying the same to the U.S. and its allies.”

The report analyzed that such attacks are threatening, as China Telecom hijacked data from governments, banks, and news agencies, which could be damaging to the targeted countries and companies.

The report pointed out that China’s internet is largely closed off and isolated from the rest of the world. It connects only via three nodes located in Beijing, Shanghai, and Hong Kong.

By this isolationist approach, Chinese data remains safe and cannot be BGP-hijacked. It also means Chinese ISPs have to use overseas PoPs—in North America, Europe, and other Asian countries—to carry out BGP hijacking.

“One could even argue that fairness dictates that China Telecom should not extend beyond Hong Kong unless other global peers were given equivalent access to have PoPs in China itself,” the report said.