IP Hijacking at Major European IXP Represents Long Term Threat Against Organizations

Companies and institutions around the globe transmit tremendous amounts of data over the Internet, some of it containing sensitive data or including confidential information not intended for prying eyes to see. There are many interested groups eager to put their hands on this information. Most organizations are aware of these dangers and invest resources and effort in defending themselves from cyber-attacks attempting to gain access into their systems. However, not all cyber-espionage takes place within the organization.

While some IP Hijacking attacks are targeted at specific companies, other cases show that hackers opportunely attack convenient Internet Exchange Points (IXP) and choose “interesting” targets from among the large amount of traffic going through. Routing most traffic without intervention, chosen bulks of addresses are deflected to hacker sites before being forwarded to the intended destination, without the victim knowing it happened.

During September 2017, BGProtect detected a large scale deflection attack on routes passing through one of the largest IXPs in the world based in Europe. The routes were hijacked to Russia by a large and legitimate Russian provider who however is suspected of active participation in past IP hijack attacks.

During the attack, a select group of over 30,000 destinations, less than 2% of those examined, were diverted from the IXP to Russia. Many were later rerouted via Stockholm to their intended destinations, while a few of them never made it, getting lost in transit. Examining the deflected destinations BGProtect clearly identified certain groups of destinations that were deflected, including: US utility companies, internet security companies, financial institutions, US universities and many more.

Figure 1 shows the rerouting of traffic intended for a company in Tampa FL. Figure 2 shows the rerouting of the traffic destined for Slovakia.

Fig. 1: Deflected attack on traffic to Tampa, FL USA via Moscow

Fig. 2: Traffic to Slovakia deflected to Moscow and returned via Stockholm

Obviously, these tens of thousands of destinations were victims of cyber-attacks, unaware of whatever manipulation their transmissions underwent.