Apple Network Traffic Was Hijacked through Russian Networks for 12 Hours

The FPS Review may receive a commission if you purchase something after clicking a link in this article.

Image: Apple

Apple network traffic took a brief 12-hour detour through the Russian Rostelecom network that spanned July 26-27. Reports state that Rostelcom began announcing routes for Apple’s network Tuesday evening in what is referred to as a BGP (Border Gateway Protocol) hijack.

Around 21:25 UTC On 26 July 2022, Rostelecom’s AS12389 network started announcing This prefix is part of Apple’s block; usually, Apple only announces the larger block and not this shorter prefix length.

Image: CISCO BGPStream

Aftab Siddiqui (MANRS Internet Society senior internet technology manager) said this is not the first time that Rostelecom was involved in a BGP hijack as another happened in 2020 involving Amazon and many others.

To get more information, I looked up all the announcements from AS12389 with the AS_PATH “20764 12389”. I used bgpdump, as it has more peers than route-views. Instantly there were several hits (4569 unique announcements) and none of them belonged to AS12389. Hurricane Electric’s BGP Toolkit also noted a similar number (4567).

Out of those 4569 prefixes, 4255 belong to Amazon(AS16509 and AS14618), 85 belong to Akamai (AS20940, AS16625), and the rest belong to several different service providers including Level3, Alibaba, Digital Ocean, Linode, and others.

Clearly, Rostelecom (AS12389) has experience with BGP hijacking but it is not known what data may have been extracted from the Apple network traffic or what services may have been impacted during that period. Mr. Siddiqui went on to say that “When the routes a network is announcing are not covered by valid Route Origin Authorization (ROA), the only option during a route hijack is to announce more specific routes.” Apple networking engineers did start announcing a more specific range of routing addresses 5 hours after CISCO BGPStream reported on the possible hijack but AS12389 did not cease its broadcasts until roughly 09:39 UTC on July 27. So far, Apple has not responded to requests regarding the incident.

The Register asked MANRS whether anyone there had heard anything from Apple since its post was published and a spokesperson replied, “We have not heard anything from Apple yet on this issue. The MANRS team is reaching out privately to learn more about the incident.”

Source: MANRS (via The Register)

Join the discussion for this post on our forums...

Peter Brosdahl
As a child of the 70’s I was part of the many who became enthralled by the video arcade invasion of the 1980’s. Saving money from various odd jobs I purchased my first computer from a friend of my dad, a used Atari 400, around 1982. Eventually it would end up being a lifelong passion of upgrading and modifying equipment that, of course, led into a career in IT support.

Recent News