Image: Apple

Apple network traffic took a brief 12-hour detour through the Russian Rostelecom network that spanned July 26-27. Reports state that Rostelcom began announcing routes for Apple’s network Tuesday evening in what is referred to as a BGP (Border Gateway Protocol) hijack.

Around 21:25 UTC On 26 July 2022, Rostelecom’s AS12389 network started announcing 17.70.96.0/19. This prefix is part of Apple’s 17.0.0.0/8 block; usually, Apple only announces the larger 17.0.0.0/9 block and not this shorter prefix length.

Image: CISCO BGPStream

Aftab Siddiqui (MANRS Internet Society senior internet technology manager) said this is not the first time that Rostelecom was involved in a BGP hijack as another happened in 2020 involving Amazon and many others.

To get more information, I looked up all the announcements from AS12389 with the AS_PATH “20764 12389”. I used Isolario.it bgpdump, as it has more peers than route-views. Instantly there were several hits (4569 unique announcements) and none of them belonged to AS12389. Hurricane Electric’s BGP Toolkit also noted a similar number (4567).

Out of those 4569 prefixes, 4255 belong to Amazon(AS16509 and AS14618), 85 belong to Akamai (AS20940, AS16625), and the rest belong to several different service providers including Level3, Alibaba, Digital Ocean, Linode, and others.

Clearly, Rostelecom (AS12389) has experience with BGP hijacking but it is not known what data may have been extracted from the Apple network traffic or what services may have been impacted during that period. Mr. Siddiqui went on to say that “When the routes a network is announcing are not covered by valid Route Origin Authorization (ROA), the only option during a route hijack is to announce more specific routes.” Apple networking engineers did start announcing a more specific range of routing addresses 5 hours after CISCO BGPStream reported on the possible hijack but AS12389 did not cease its broadcasts until roughly 09:39 UTC on July 27. So far, Apple has not responded to requests regarding the incident.

The Register asked MANRS whether anyone there had heard anything from Apple since its post was published and a spokesperson replied, “We have not heard anything from Apple yet on this issue. The MANRS team is reaching out privately to learn more about the incident.”

Source: MANRS (via The Register)

Go to thread

Don’t Miss Out on More FPS Review Content!

Our weekly newsletter includes a recap of our reviews and a run down of the most popular tech news that we published.

Peter Brosdahl

As a child of the 70’s I was part of the many who became enthralled by the video arcade invasion of the 1980’s. Saving money from various odd jobs I purchased my first computer from a friend of my...

6 comments

  1. It's amazing this even works.

    Anything transferring data like that should be using cryptographic authentication making any MITM attakc utterly useless.

    Also, if the Russians are going to do **** like this, we should just cut them off from the Internet.
  2. It's amazing this even works.

    Anything transferring data like that should be using cryptographic authentication making any MITM attakc utterly useless.

    Also, if the Russians are going to do **** like this, we should just cut them off from the Internet.

    This isn't your traditional MITM attack. The attackers sucked up copies of ALL of that encrypted data. The question is do they have the ability to decrypt it fast enough to be damaging to APPLE enough so they cut them a check for 40 million or so and write it off as a security expense.

    Because I doubt they got 'code' data or 'chip blueprints' or anything like that. But internal emails... bemoaning customers or talking about them as sheeple or anything else that would be daddy Apple insulting it's customers Directly... that would hurt apple's stock in a big way. They literally could loose over a trillion in value.

    The game here is if apple is hiring a team from what used to be blackwater to go in and scrub those data archives (you know what I mean) to make sure that they are not at risk and the hackers learn that messing with Apple hurts... in a big way.
  3. But internal emails..
    If any of those relate to any forthcoming tech and/or patents I'm sure that someone is hard at work in decrypting and probably will end up for sale to the highest bidders. Two of whom most of us could easily guess and one that is still quite cozy with Russia.
  4. It's amazing this even works.

    Anything transferring data like that should be using cryptographic authentication making any MITM attakc utterly useless.

    Also, if the Russians are going to do **** like this, we should just cut them off from the Internet.
    According to the researchers it had a bit to do with Apple not being more specific in its addressing schema and not using Route Origin Authorization (ROA). Some might call that lazy for a company that many still believe to have a focus on security and privacy. Not to say that there are not many others guilty of the same since this has happened to a number of other big targets as well.

Leave a comment

Please log in to your forum account to comment