Suspicious event routes traffic for Apple, other tech sites through Russia

Traffic sent to and from Apple, Google, Facebook, and Microsoft was briefly routed through a previously unknown Russian Internet provider yesterday under circumstances that researchers said was “suspicious and intentional,” reports arstechnica.

According to a blog post published Wednesday by Internet monitoring service BGPMon, the hijack lasted a total of six minutes and affected 80 separate address blocks. It started at 4:43 UTC and continued for three minutes. A second hijacking occurred at 7:07 UTC and also lasted three minutes. Meanwhile, a second monitoring service, Qrator Labs, said the event lasted for two hours, although the number of hijacked address blocks varied from 40 to 80 during that time.

Suspicious activity.jpeg

While BGP rerouting events are often the result of human error rather than malicious intent, BGPMon researchers said several things made Wednesday's incident "suspicious." First, the rerouted traffic belonged to some of the most sensitive companies, which—besides Google, Facebook, Apple, and Microsoft—also included Twitch, NTT Communications, and Riot Games. 

Besides the cherrypicked targets, hijacked IP addresses were broken up into smaller, more specific blocks than those announced by affected companies, an indication the rerouting was “intentional. To prevent future incidents, ISPs and backbones will have to be more stringent than they currently are about trusting newly announced routes, notes arstechnica.