Russian telecom may have intentionally hijacked internet traffic bound for Mastercard, VISA, and more

Posted on Apr 30, 2017 by Caleb Chen
Russian network hijacking

On April 26, 2017, Rostelecom, a Russian telecom, hijacked large amounts of sensitive network traffic from over a dozen financial institutions including Mastercard and VISA. Rostelecom, one of the big four telecoms in Russia, did this by inaccurately announcing 36 network blocks as theirs through border gateway protocol (BGP) tables. This type of inaccurate announcement of network space and subsequent rerouting does happen by accident sometimes. However, the fact that over two dozen international financial institutions were affected, targeted really, makes it seem like this action was not accidental. A little digging reveals that Rostelecom happens to be owned (49%) by the Russian government. What’s more, multiple senior government officials currently hold board seats at Rostelecom.

Russian telecom hijacking of targeted financial Internet traffic is curious to say the least

BGPMon called the hijacking “curious.” Doug Madory from Dyn was more straightforward with his words; he told ArsTechnica:

“I would classify this as quite suspicious. Typically accidental leaks appear more voluminous and indiscriminate. This would appear to be targeted to financial institutions. A typical cause of these errors [is] in some sort of internal traffic engineering, but it would seem strange that someone would limit their traffic engineering to mostly financial networks.”

Rostelecom hasn’t commented to media about the incident. What we know is that sensitive information from around the world was flowing into Russia for 5-7 minutes. This would have allowed Russians to see and manipulate any of that traffic that was unencrypted at that time; or, at the least, see who was connecting and from where. Such information would be invaluable to hackers as it could not only reveal sensitive information but also the sources of financial transactions – who could then be targeted themselves.

The institutions that were affected by this hijacking are (info via BGPMon):

 AS     Autonomous System Name      
  49002  Federal State Unitary Enterprise Russian
   3561  Savvis
  41268  LANTA Ltd
   2559  Visa International
   8255  Euro-Information-Europeenne de Traitemen
  31627  Servicios Para Medios De Pago S.A.
    701  MCI Communications Services, Inc. d/b/a
   3259  Docapost Bpo SAS
   3303  Swisscom (Switzerland) Ltd
   3741  IS
   5553  State Educational Institution of Higher
   5630  Worldline SA
   8291  The Federal Guard Service of the Russian
   8677  Worldline SA
   9162  The State Educational Institution of Hig
   9221  HSBC HongKong
   9930  TIME dotCom Berhad
  11383  Xand Corporation
  12257  EMC Corporation
  12578  SIA Lattelecom
  12954  SIA S.p.A.
  15468  38, Teatralnaya st.
  15632  JSC Alfa-Bank
  15742  PJSC CB PrivatBank
  15835  ROSNIIROS Russian Institute for Public N
  15919  Servicios de Hosting en Internet S.A.
  18101  Reliance Communications Ltd.DAKC MUMBAI
  25410  Bank Zachodni WBK S.A.
  26380  MasterCard Technologies LLC
  28827  Fortis Bank N.V.
  30060  VeriSign Infrastructure & Operations
  34960  Netcetera AG
  35469  Ojsc Bank Avangard
  50080  Provus Service Provider SA
  50351  card complete Service Bank AG
  61100  Norvik Banka AS
200163  Itera Norge AS

Russian government wants to do whatever they want on the Internet

Moscow, Russia even intends to be the first 5G connected city by 2020 – but all of that data will be stored by Russian telecoms under Russia’s Big Brother Law. Over the last year, Russia has shown their true colors when it comes to Internet rights: they’ve evicted Amnesty International, and coerced some companies like Twitter to move servers to Russia. The Russian government has even convinced some VPN companies to censor what the government wants. On the contrary, Private Internet Access has removed all servers from Russia following a separate incidence of questionable Russian seizure in July of last year.

Like this article? Get notified by email when there is a new article or signup to receive the latest news in the fight for Privacy via the Online Privacy News RSS Feed.

VPN Service