China and Russia suspected of hijacking Google internet traffic in ‘war game experiment’
- Tech website ThousandEyes says diversion of data ‘put valuable Google traffic in the hands of ISPs in countries with a long history of internet surveillance’
An internet traffic diversion that sent data through Russia and China disrupted Google services on Monday, including search and cloud-hosting services and its bundle of collaboration tools for businesses.
Service interruptions lasted for nearly two hours and ended about 5.30pm New York time, network service companies said. In addition to Russian and Chinese telecommunications companies, a Nigerian internet provider was also involved.
The diversion “at a minimum caused a massive denial of service to G Suite (business collaboration tools) and Google Search” and “put valuable Google traffic in the hands of ISPs (internet service providers) in countries with a long history of internet surveillance”, the network-intelligence company ThousandEyes said in a blog post.
A Google status page noted that “access to some Google services was impacted” and said the cause was “external to Google”. The company offered little more information.
The type of traffic misdirection employed, known as border gateway protocol hijacking, can knock essential services offline and be used in espionage and financial theft. It can result either from misconfiguration – usually due to human error – or from malicious action.
Most network traffic to Google services – 94 per cent as of October 27 – is encrypted, which shields it from prying eyes even if diverted.
Alex Henthorn-Iwane, an executive at ThousandEyes, called Monday’s incident the worst affecting Google his San Francisco company has seen.
He said he suspected nation-state involvement because the traffic was effectively landing at state-run China Telecom. A recent study by US Naval War College and Tel Aviv University scholars found China systematically hijacks and diverts US internet traffic.
Google, which has been working on a censored search engine for mainland Chinese web users, said it had no reason to believe the traffic hijacking was malicious. It did not explain why.
Henthorn-Iwane said Monday’s hijacking may have been “a war game experiment”.
In two recent cases, such diverting has affected financial sites. In April 2017, one affected MasterCard and Visa among other sites. In April, another hijacking enabled cryptocurrency theft.
ThousandEyes named the companies involved in Monday’s incident, in addition to China Telecom, as the Russian internet provider Transtelecom and Nigerian ISP MainOne.
Both ThousandEyes and the US network monitoring company BGmon said the internet traffic detour originated with the Nigerian company. Neither was ready to more definitively pinpoint the cause.