Several BGP routing anomalies occurred on January 2, a day before the US launched an operation to capture Venezuela’s president. This anomaly, which was identified by a security researcher using Cloudflare radar data, showed that 8 prefixes were leaked from Venezuela’s state-owned telecom (CANTV – AS8048) to an Italian transit provider (Sparkle – AS6762) and a Colombian carrier (GlobeNet – AS52320). BGP is inherently insecure, and while RPKI with signed announcements can help prevent route hijacks, neither Sparkle nor the paths in question had full RPKI protection.

In response to this research (linked below), Cloudflare published their own blog post acknowledging that BGP anomalies happen all the time and that 11 BGP leaks affected this ISP since the beginning of December. Cloudflare suggests that the routing practices could be behind the anomalies rather than acts of malfeasance. However, they acknowledge that they can’t say for certain that this is not a deliberate act tied to the blackout that occurred.

In my personal view, the timing and the fact that the leaked prefixes contained critical infrastructure (Banks, ISPs, Medial Facilities, manufacturing, email services) makes this incredibly suspicious. We know that Cyber command posses the traffic injection and inspection capabilities that could enable this type of activity. Hiding offensive cyber activity inside what appears to be routine internet routing noise is exactly the kind of approach that Cyber Command and the IC would use. This ambiguity makes it extremely difficult to determine whether the event was an innocent anomaly or a deliberate cyber operation.

Original blog post from Graham Helton: https://lnkd.in/deigDwFP
Cloudflare’s blog post: https://lnkd.in/d7QAwVbZ