Cyber Incident Victim: BT Group
Date:
Mar 2015
Location:
United Kingdom
Summary
A major UK telecommunications provider experienced a routing incident where internet traffic for 167 customers, including critical defense contractors and government agencies, was temporarily diverted through Ukrainian servers. This unauthorized rerouting, attributed to Border Gateway Protocol vulnerabilities, potentially exposed unencrypted communications—such as email and VPN data—to interception or manipulation. While most disruptions lasted under two hours, some persisted for several days, impacting services like corporate networks and financial operations. The incident highlighted risks associated with BGP's inherent trust model, echoing similar past routing hijacks affecting sensitive sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 13, 2015, researchers from network monitoring firm Dyn reported a Border Gateway Protocol (BGP) hijacking incident affecting 167 British Telecom (BT) customers. Between March 7-12, internet traffic for these organizations was diverted through Ukrainian telecommunications provider Vega's infrastructure in Kiev before reaching its intended destinations in London. The most significant diversion occurred during a concentrated 90-minute window on March 12, impacting high-profile entities including the UK Atomic Weapons Establishment (responsible for nuclear warhead delivery systems), Lockheed Martin, Toronto Dominion Bank, AgustaWestland helicopters, and the UK Department for Environment. Fourteen organizations experienced prolonged routing anomalies lasting five days starting March 7. The rerouting caused data to travel thousands of miles through Ukraine unnecessarily, potentially exposing unencrypted communications to interception or manipulation by Vega employees with network access privileges.
Dyn's analysis revealed the hijacked traffic included email communications, virtual private network (VPN) connections, and other corporate data streams. Affected networks hosted critical infrastructure domains containing "VPN" and "mail" identifiers, indicating exposure of authentication systems and business communications. While some impacted entities like PepsiCo and Walmart UK appeared less sensitive, their networks similarly hosted mission-critical services. The incident represented a continuation of BGP exploitation patterns first documented in 2013, when Dyn observed 38 similar events diverting financial and government traffic through Belarus and Iceland. BT implemented corrective routing measures, though the exact detection timeline and containment methodology weren't disclosed. The hijack's limited propagation - observed by fewer than 10% of major providers for critical targets like the Atomic Weapons Establishment - reduced overall exposure but demonstrated persistent vulnerabilities in global routing infrastructure. No organization publicly confirmed data compromise, but the incident highlighted risks to national security assets and critical infrastructure operators relying on BGP's inherent trust model without cryptographic validation mechanisms.