Citing BGP hijacks and hack attacks, feds want China Telecom out of the US
Citing the misrouting of US Internet traffic, malicious hacking and control by the Chinese government, a group of US executive agencies are recommending the FCC revoke the license authorizing China Telecom to provide international telecommunications services to and from the United States.
The recommendation comes amid an escalation in tensions between the US and China over a host of issues, including trade, disagreements about the handling of the novel coronavirus, and hacking. Thursday’s move comes as part of a review the FCC disclosed last year, when the agency barred China Mobile Limited from the US market. The federal government has also designated both Huawei and ZTE as national security threats.
“The security of our government and professional communications, as well as of our most private data, depends on our use of trusted partners from nations that share our values and our aspirations for humanity,” John C. Demers, assistant attorney general for national security, said in a release. “Today’s action is but our next step in ensuring the integrity of America’s telecommunications systems.”
The state-owned China Telecom says it’s the county’s second-biggest mobile operator with about 336 million subscribers about 153 million wireline broadband subscribers, and about 111 million access lines. China Telecom Americas, the subsidiary that operates in the US, received authorization from the FCC in 2002, according to this timeline. China Telecom Americas has had a compounded and impressive annual revenue growth rate of 68% since 2005, the timeline added.
Hijacking huge swaths of the Internet
Over the past decade, the Chinese telecom has been at the center of several major security events, most visibly those involving the misrouting of huge chunks of Internet traffic sent to and from the US and other countries.
One of the more concerning events came to light in 2018 when a researcher revealed that China Telecom had diverted US domestic Internet communications to mainland China before sending them on to their intended destinations. The improper paths—which were the result of manipulations to border gateway protocol tables that route traffic from one backbone provider to another—occurred over a two-and-a-half-year span, from 2015 to 2017.
Another BGP mishap occurred in 2019 when China Telecom diverted traffic destined for some of Europe’s biggest mobile providers for two hours. A third event in 2014 repeatedly sent traffic traveling inside the borders of Russia through China Telecom servers. There’s conflicting evidence about whether the latter two incidents were malicious hijackings or accidental routing leaks.
BGP is largely based on implicit trust one provider—which in Internet parlance is known as an AS or autonomous system—places in another. These ASes “announce routes” that other ASes should use to reach networks in particular geographic regions. While BGP favors the shortest, most direct paths, erroneous or malicious announcements can cause traffic to follow roundabout paths that can cause major outages or worse. BGP hijackings are especially concerning because they allow spies from China, Russia, or elsewhere to monitor or tamper with any unencrypted data that improperly passes through their networks before being sent on to the intended destination.
A decade of high-profile hacks
US government officials have other concerns. Hacking groups widely believed to work on behalf of the Chinese government have been active in attacks against the US and its allies. One group that’s known under a variety of names, including LEAD, BARIUM, Wicked Panda, GREF, PassCV, Axiom, and Winnti, is behind a decade of malicious hacks, according to a report released in 2018. The Chinese government has also been tied to attacks on satellite, defense, and telecom firms, the Federal Deposit Insurance Corporation, and Google, to name only a few.
Thursday’s recommendation was jointly issued by Departments of Justice, Homeland Security, Defense, State, Commerce, and the United States Trade Representative. The release cited the following basis for the recommendation:
- the evolving national security environment since 2007 and increased knowledge of the PRC’s role in malicious cyber activity targeting the United States;
- concerns that China Telecom is vulnerable to exploitation, influence, and control by the PRC government;
- inaccurate statements by China Telecom to US government authorities about where China Telecom stored its US records, raising questions about who has access to those records;
- inaccurate public representations by China Telecom concerning its cybersecurity practices, which raise questions about China Telecom’s compliance with federal and state cybersecurity and privacy laws; and
- the nature of China Telecom’s US operations, which provide opportunities for PRC state-actors to engage in malicious cyber activity enabling economic espionage and disruption and misrouting of US communications.
In a statement, officials with China Telecom Americas wrote:
Today, several government agencies took the procedurally unprecedented step of making allegations related to China Telecom Americas’ FCC licensing. We unequivocally deny the allegations. The company has always been extremely cooperative and transparent with regulators. In many instances, we have gone beyond what has been requested to demonstrate how our business operates and serves our customers following the highest international standards. We look forward to sharing additional details to support our position and addressing any concerns.
US governmental officials and some researchers disagree and say that China’s offensive hacking is extensive.
Complicating matters, attributing hacks to specific groups or countries is notoriously difficult, since attackers frequently plant false flags that wrongly implicate rivals. What’s more, BGP routing mishaps happen repeatedly and frequently as a result of error and not malice. Earlier this week, for instance, an exchange of routing information between Russian providers Rascom (AS 20764) and Rostelecom (AS 12389) caused traffic to be improperly routed through Russia. The event lasted for about seven minutes and affected some of the biggest names on the Internet including Cloudflare, Amazon, Akamai, Digital Ocean, Linode, Hetzner, OVH, Leaseweb, Softlayer, Portlane, Fastly, and Ali Baba. Two BGP experts, who asked not to be named because their employers didn’t authorize them to speak on the record, said all evidence points to the misrouting being the result of a configuration error.
And in cases when BGP events are the work of China or other countries, kicking their telecoms out of the US does little to stop hijackings.
“BGP hijacks can be conducted from anywhere and don’t require [physical presence] in the US,” one of the experts said. “Which makes this move seem more like punishment or retribution than a move that would actually stop hijacks.”