Possible BGP hijacking takes Google down

Google went down Monday as a border gate protocol (BGP) issue rerouted traffic to China, Russia, and Nigeria.

networking background
Thinkstock

Google might not be immune to border gate protocol (BGP) hijacking and leaks.

On Monday, Google services went down for over an hour as internet traffic for some G Suite and Google search users was rerouted to Nigeria, China, and Russia. Internet research firm ThousandEyes, which suspects nation-state involvement, called the traffic misdirection the worst affecting Google that it had seen. Google’s internet traffic was rerouted to the government-owned China Telecom, as well as the Russian internet provider TransTelecom and the Nigerian ISP MainOne.

Alex Henthorn-Iwane, an executive at ThousandEyes, said told The Associated Press the hijacking may have been "a war-game experiment" by a nation-state.

"This incident at a minimum caused a massive denial of service to G Suite and Google Search. However, this also put valuable Google traffic in the hands of ISPs in countries with a long history of internet surveillance. Overall, ThousandEyes detected over 180 prefixes affected by this route leak, which covers a vast scope of Google services," ThousandEyes said.

Google, however, said it has no reason to believe it was a malicious hijacking attempt. And Cloudflare CEO Matthew Prince told Ars Technica that it was likely a “big, ugly screw-up.” 

Other cybersecurity news:

U.S. aligns with Russia and China, saying no to more trust and security in cyberspace

Although 51 countries and hundreds of tech corporations (pdf) such as Facebook, Google, and Microsoft supported the “Paris Call for Trust and Security in Cyberspace” (pdf), the United States did not sign it — nor did Russia, China, Iran, Israel or the U.K., according to Wired. The initiative was primarily aimed at improving the internet’s security, stopping private companies from hacking back, and preventing malicious cyber activities and interference with electoral processes.

‘The White Company' — a new, state-sponsored APT group discovered

The Cylance Threat Intelligence team says it has discovered a new, highly sophisticated state-sponsored APT group. It was dubbed “The White Company,” as the group takes “many elaborate measures” to “whitewash all signs of their activity and evade attribution.”

Like other sophisticated government-backed cyber-espionage groups, The White Company is capable of developing malware and exploits made specifically for targets. However, its profile “does not resemble that of the U.S., Five Eyes, or India — nor any known Russian, Chinese, North Korean, Iranian, or Israeli groups.”

Cylance said the new threat actors have access to zero-day exploit developers, a complex and automated exploit system, and the capacity for advanced reconnaissance of targets. It is the first threat actor seen by Cylance to effectively evade “no less than eight different antivirus products — Sophos, ESET, Kaspersky, BitDefender, Avira, Avast!, AVG, and Quick Heal — before turning them against their owners by deliberately surrendering to them on specific dates in order to distract, delay, and divert the targets’ resources.”

To escape attribution, The White Company had four different ways within an exploit to check if the malware was on an investigator’s system, could clean up Word and launch a decoy document to reduce suspicion, and could completely delete itself from a target’s system. Its malware had five different obfuscation techniques, with the payload buried within “nesting-doll layers,” and used “compromised or otherwise un-attributable network infrastructure for command and control.”

More details, such as the exploit kits, malware and infrastructure used by The White Company, as well as details on the year-long espionage campaign, Operation Shaheen, waged against the Pakistani government and military can be found in Cylance’s 138-page report.

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.