Some of Apple’s Network Traffic was Routed Through Russian ISP
For a 12-hour stretch on July 26 and 27, Russia’s Rostelecom was announcing routes for portions of Apple’s network. It is not known if this was due to a border gateway protocol (BGP) misconfiguration or if it was a deliberate hijacking.
Never ascribe to malice what can be explained by a simple typo. Rostelecom owns 18.104.22.168/19 and rerouted 22.214.171.124/19 which is owned by Apple. Note the simple swapped digit in the beginning? Still, it would be nice if Apple would be able to roll out Route Origin Authorization, a feature that has made a real difference in some of these BGP route hijacks from causing more damage. And most of these “hijacks” are simple configuration mistakes. Change control is for people who can't do incident response.
When you look at which groups have responsibility for availability and integrity of critical services, IT ops and Network ops really carry the bulk of the responsibility and authority, not security. But many of the tools and services that security uses will detect misconfigurations before IT/Network ops does. Integrated SOC/NOCs bring many benefits, next best thing is common or at least integrated tools being used across the groups.
Regardless of whether this rerouting was accidental or deliberate this incident is another prime example of the importance of end-to-end encryption for all communications.
While there is no official statement from them, Apple did take action by advertising more specific routes to services during the time their traffic was being routed to Russia, which is about the only recourse you have when this happens. It's unlikely we will learn if this was deliberate, accidental, or a trial balloon for future activities. Make sure that you and your network team have a plan for this scenario.