China Telecom, a state-owned telecommunications firm, has systematically diverted internet traffic in Canada and the United States by shunting it through its own network in an effort to commit espionage and steal intellectual property, two cybersecurity researchers say.
Yuval Shavitt of Tel Aviv University and Chris Demchak of the U.S. Naval War College in Newport, R.I., published a paper recently in Military Cyber Affairs, the journal of the Military Cyber Professionals Association, outlining how China has been rerouting Canadian and U.S. internet traffic via access points it has set up legally in North America, ostensibly to improve service for its customers.
Although the Chinese government has signed no-hacking agreements with numerous Western countries, including Canada and the United States, to prohibit direct attacks on computer networks, the accords did nothing to prevent the diverting of online traffic on key Western internet infrastructure, the authors say.
"China Telecom has ten strategically placed, Chinese-controlled internet ‘points of presence’ (PoPs) across the internet backbone of North America,” Prof. Shavitt and Prof. Demchak say. “Vast rewards can be reaped from the hijacking, diverting, and then copying of information-rich traffic going into or crossing the United States and Canada – often unnoticed and then delivered with only small delays.”
Global Affairs Canada said Greta Bossenmaier, the Prime Minister’s national security adviser, will raise the issue with senior Chinese officials at a security and legal affairs meeting in Beijing this year.
“Canada raises such issues with China regularly. The topic of cyber hacking will be a priority when the Canada-China National Security and Rule of Law Dialogue meets next,” Global Affairs spokesperson Stefano Maron said in a statement to The Globe.
Foreign telecom carriers set up such internet access points in North America in order to serve clients in their home countries and to expand business opportunities. PoPs also make it easier for these telecom firms to influence the routing of internet traffic. China Telecom has at least eight in the United States and two in Canada – in Toronto and Vancouver, the researchers say.
Using an Israeli-designed internet traffic route tracing system, the authors detected “unusual and systematic hijacking patterns associated with China Telecom.”
One such example the authors give is the diverting of routes between Canada and South Korean government sites. For six months beginning in February, 2016, internet traffic was diverted by China Telecom and routed through its PoP in Toronto, then forwarded to its PoP on the West Coast, then on to China and finally to South Korea. The shortest route for this traffic would normally have been Toronto to the United States to South Korea, the authors says. “That this pattern continued for six months is good evidence that this was no short term misconfiguration or temporary internet conditions disruption.”
They describe what happened with the Canadian internet traffic as the “perfect scenario for long-term espionage."
Prof. Shavitt said Monday that similar attacks have been recreated from China Telecom’s PoP in Toronto for shorter periods, including in 2018, when still more data being sent from Toronto to the South Korean government was diverted.
“It is a company that wants to make profits, of course, but it is also owned by the Chinese government and it is used by the Chinese government for these kinds of operations,” Prof. Shavitt said in an interview. “Those malicious activities are a small fraction of their activity. The major activity is commercial.”
Public Safety Minister Ralph Goodale’s office would not comment on the study.
The Communications Security Establishment, which is responsible for cybersecurity and signals intelligence, said it was aware of the report and that it takes any cyber threat seriously. The CSE said its new Canadian Centre for Cyber Security provides “extensive guidance to help Canadians secure their online communications.”
China Telecom did not respond to a request for comment. The Chinese embassy in Ottawa dismissed the Military Cyber Affairs report as “groundless speculation.”
“Cyber security is a complicated global issue given the fact that cyber attacks are conducted anonymously and across borders,” the embassy said in a statement. “The Chinese side calls for all parties to seek a common solution through enhanced dialogue and cooperation. Groundless speculation, hyping up or accusation is not helpful to solve the problem nor conducive to any party’s interests.”
The researchers – with expertise in electrical engineering and cybersecurity – say they discovered similar attacks on networks in Italy, Japan, Thailand and Scandinavia in 2016 and 2017, including traffic from U.S. locations to a large Anglo-American bank’s headquarters in Milan that terminated in China. The authors say that after the data was copied by China Telecom for encryption breaking and analysis, it was delivered to the intended networks with only small delays.
Prof. Shavitt said Canada and the United States should not be allowing China Telecom to set up PoPs in North America unless China allows Western telecoms to set up similar access points to internet infrastructure in China.
“There is no regulation [in North America] about who can own internet infrastructure ... and this is the main problem,” he said. “This is very substantial and critical infrastructure that is not regulated, and the government should actually take action and regulate who can own it."
The authors recommend that China Telecom be limited to one PoP in North America, which would be easy to monitor, but they also say it would be better if the state entity were limited to an access point in Hong Kong.
Beijing’s ruling Communist Party does not allow U.S. or Western telecoms to set up PoPs on China’s national internet network, which means its internet traffic is protected from foreign hijacking.
Prof. Shavitt said that creates a major imbalance in access between China and Western democracies, “which allows for malicious behavior by China through China Telecom at a time and place of its choosing, while denying the same to the U.S. and its allies.”
”Speaking about the current imbalance – where China forbids U.S. or Western telecom firms from internet ‘points of presence’ in China," said Richard Fadden, a former director of the Canadian Security Intelligence Service, “in dealing with China, it’s important to recall that what is good for the goose is not good for the gander. China often takes advantage of Western openness but does not reciprocate. It’s true in a variety of sectors – trade, rule of law, etc.”
The United States and Beijing signed an agreement in 2015 to stop conducting state-sponsored cyberattacks to steal private trade secrets and proprietary technology. Ottawa signed a similar accord with China in 2017, but the deal did not cover the hijacking of internet traffic.
This is not the first time China Telecom has been accused of internet traffic hijacking. In 2010, the company denied allegations by a U.S. congressional watchdog that it had hijacked significant volumes of internet traffic by redirecting it unnecessarily through servers in China. The U.S.-China Economic and Security Review Commission said on April 8, 2010, that China Telecom rerouted traffic sent to about 15 per cent of the internet’s destinations, including branches of the U.S. military, the U.S. Senate and companies such as Microsoft Corp.