Russian telecom may have intentionally hijacked internet traffic bound for Mastercard, VISA, and more
On April 26, 2017, Rostelecom, a Russian telecom, hijacked large amounts of sensitive network traffic from over a dozen financial institutions including Mastercard and VISA. Rostelecom, one of the big four telecoms in Russia, did this by inaccurately announcing 36 network blocks as theirs through border gateway protocol (BGP) tables. This type of inaccurate announcement of network space and subsequent rerouting does happen by accident sometimes. However, the fact that over two dozen international financial institutions were affected, targeted really, makes it seem like this action was not accidental. A little digging reveals that Rostelecom happens to be owned (49%) by the Russian government. What’s more, multiple senior government officials currently hold board seats at Rostelecom.
Russian telecom hijacking of targeted financial Internet traffic is curious to say the least
“I would classify this as quite suspicious. Typically accidental leaks appear more voluminous and indiscriminate. This would appear to be targeted to financial institutions. A typical cause of these errors [is] in some sort of internal traffic engineering, but it would seem strange that someone would limit their traffic engineering to mostly financial networks.”
Rostelecom hasn’t commented to media about the incident. What we know is that sensitive information from around the world was flowing into Russia for 5-7 minutes. This would have allowed Russians to see and manipulate any of that traffic that was unencrypted at that time; or, at the least, see who was connecting and from where. Such information would be invaluable to hackers as it could not only reveal sensitive information but also the sources of financial transactions – who could then be targeted themselves.
The institutions that were affected by this hijacking are (info via BGPMon):
AS Autonomous System Name 49002 Federal State Unitary Enterprise Russian 3561 Savvis 41268 LANTA Ltd 2559 Visa International 8255 Euro-Information-Europeenne de Traitemen 31627 Servicios Para Medios De Pago S.A. 701 MCI Communications Services, Inc. d/b/a 3259 Docapost Bpo SAS 3303 Swisscom (Switzerland) Ltd 3741 IS 5553 State Educational Institution of Higher 5630 Worldline SA 8291 The Federal Guard Service of the Russian 8677 Worldline SA 9162 The State Educational Institution of Hig 9221 HSBC HongKong 9930 TIME dotCom Berhad 11383 Xand Corporation 12257 EMC Corporation 12578 SIA Lattelecom 12954 SIA S.p.A. 15468 38, Teatralnaya st. 15632 JSC Alfa-Bank 15742 PJSC CB PrivatBank 15835 ROSNIIROS Russian Institute for Public N 15919 Servicios de Hosting en Internet S.A. 18101 Reliance Communications Ltd.DAKC MUMBAI 25410 Bank Zachodni WBK S.A. 26380 MasterCard Technologies LLC 28827 Fortis Bank N.V. 30060 VeriSign Infrastructure & Operations 34960 Netcetera AG 35469 Ojsc Bank Avangard 50080 Provus Service Provider SA 50351 card complete Service Bank AG 61100 Norvik Banka AS 200163 Itera Norge AS
Russian government wants to do whatever they want on the Internet
Moscow, Russia even intends to be the first 5G connected city by 2020 – but all of that data will be stored by Russian telecoms under Russia’s Big Brother Law. Over the last year, Russia has shown their true colors when it comes to Internet rights: they’ve evicted Amnesty International, and coerced some companies like Twitter to move servers to Russia. The Russian government has even convinced some VPN companies to censor what the government wants. On the contrary, Private Internet Access has removed all servers from Russia following a separate incidence of questionable Russian seizure in July of last year.