Though former U.S. President Barack Obama and Chinese leader Xi Jinping signed an agreement for both countries to bring an end to hacking for commercial gain, the Chinese Communist Party (CCP) did not stop its espionage activities. It merely adopted another method of theft.
According to a recent report from Military Cyber Affairs, a journal published by the Military Cyber Professionals Association, the Chinese regime switched from using cyberattacks to a method of stealing by intercepting sensitive information being transferred over the internet.
The main culprit involved in this operation was China Telecom, a Chinese state-owned telecommunications company. Report authors Chris C. Demchak of the U.S. Naval War College and Yuval Shavitt of Tel Aviv University stated that the CCP likely used China Telecom rather than other key Chinese telecommunication companies Huawei and ZTE due to the controversy surrounding the latter two at the time.
Though privately owned, both companies have close ties to the Chinese regime. Their products have been rejected by governments around the world due to the risk of espionage and national security breaches.
Though the 2015 Obama–Xi agreement initially significantly decreased direct attacks on computer networks, “it did nothing to prevent the hijacking of the vital internet backbone of Western countries.”
“Conveniently, China Telecom has 10 strategically placed, Chinese controlled internet ‘points of presence’ (PoPs) across the internet backbone of North America,” the report said.
PoPs are local access points that connect users from one area to the rest of the internet.
China Telecom hijacked data through its PoPs in the internet infrastructure of the United States and other western countries, then redirected the internet traffic through China for “malicious use.” The report notes that internet nodes used in this form of theft are located “all over the world including Europe and Asia.”
“Vast rewards can be reaped from the hijacking, diverting, and then copying of information-rich traffic going into or crossing the United States and Canada—often unnoticed and then delivered with only small delays,” according to the report.
The authors, highlighting the seriousness of the threat, wrote, “The prevalence of and demonstrated ease with which one can simply redirect and copy data by controlling key transit nodes buried in a nation’s infrastructure requires an urgent policy response.” They recommended adopting a strategy between U.S. allies in order to “restrict China’s internet hijacking options and fix the imbalance in information access and potential losses.”
Intercepting and rerouting internet traffic allows China “access to the organization’s network, to stealing valuable data, adding malicious implants to seemingly normal traffic, or simply modifying or corrupting valuable data,” the report stated.
China Telecom currently has eight PoPs in the United States and two in Canada. These include points in Washington, New York, Los Angeles, Dallas, and other major cities. The report states that by using these points, China Telecom could hijack domestic U.S. and inter-country traffic and redirect it over days, weeks, and months.
While some could argue that the redirected internet traffic could be written off as normal internet behavior for such companies, “these, in particular, suggest malicious intent, precisely because of their unusual transit characteristics—namely the lengthened routes and the abnormal durations.”
The report provided evidence of its claims, showing how internet traffic was hijacked by China Telecom, including an incident in 2016, when data transferred from Canada to South Korean government sites was hijacked by China Telecom and rerouted through China for close to six months.
“This is a perfect scenario for long-term espionage, where the victim’s local protections won’t raise alarms about the long-term traffic detours,” the report said.
A similar breach was used on data being transferred from the United States to a large “Anglo-American bank” headquartered in Milan, Italy. The report did not identify the bank by name. It stated that internet traffic that started at the PoP belonging to ChinaNet—a wholly owned unit of China Telecom—near Los Angeles was hijacked for nine hours, and that “ChinaNet actors seemed to have difficulties in routing the traffic back to Milan.”
“The route inside the Chinese network changed several times as the attackers worked to try and redirect the traffic back,” the report read.
The Chinese regime has taken advantage of “the Internet distributed systems’ hacking flaws” in order to achieve its goals of controlling foreign communications, according to U.S.-based finance and tech expert Chriss Street.
Given the seriousness of the threat, which bypasses security systems of the targets and avoids the need for conventional hacking by merely stealing data as it’s transferred, the authors state that a new policy is needed to combat such attacks—“an ‘Access Reciprocity’ policy”—which would require Beijing to allow an equal number of PoPs in China run by U.S. telecoms firms as the number of Chinese telecoms PoPs in the United States, for example. If China refuses to follow reciprocity, then the United States could block traffic from going through a Chinese PoP.