The Low Orbit Security Radar is a weekly security newsletter from an offensive practitioner's perspective. One idea, curated news, and links worth your time.
News: There Were BGP Anomalies During The Venezuela Blackout
When watching the situation in Venezuela unfold, the phrase "It was dark, the lights of Caracas were largely turned off due to a certain expertise that we have" caught my attention. I do not wish to comment on the geopolitical situation other than to provide some insights within my area of competency, specifically, offensive security.
During a press conference, General John D. Caine stated: "As they approached Venezuelan shores the United States began layering different effects provided by SPACECOM, CYBERCOM, and other members of the inter-agency to create a pathway". Cyber operations preceding traditional military actions have become a common pattern so I started digging into the reported internet outages.
BGP is the first thing that comes to mind. It's a protocol used by routers to determine what path data takes to get to it's destination, it does this by exchanging routing information between Autonomous Systems. It is also notoriously insecure and much of the data about BGP is collected in public datasets. Every major network has an Autonomous System Number or ASN. CANTV (AS8048) is Venezuela's state-owned telecom, so that's the obvious place to start.
Cloudflare Radar's route leak data for AS8048 on January 2nd had some interesting anomalies: 8 prefixes (blocks of IP addresses) were being routed through CANTV, with Sparkle (an Italian transit provider) and GlobeNet (a Colombian carrier) in the Autonomous System (AS) path. The AS path is essentially the list of networks traffic passes through to reach its destination. CANTV was in a path it is not typically a part of.
There was also a noticeable spike in BGP announcements in the days leading up to the events and a drastic dip in the "Announced IP Address Space" according to the same Cloudflare Radar data, although it's unclear what this indicates.
Notably, Sparkle is one of the transit providers in the AS path listed as "unsafe" on isbgpsafeyet.com, meaning they don't implement some BGP security features such as RPKI filtering.
Cloudflare shows that a leak happened, but not the actual network prefixes. The network prefixes are useful to determine what infrastructure was potentially affected. Fortunately public datasets collect this BGP information. Pulling the data from ris.ripe.net/docs/mrt from around the time of the leak and using a tool called bgpdump we can extract the data into a readable format:
TIME: 01/02/26 15:41:16 TYPE: BGP4MP/MESSAGE/Update FROM: 187.16.222.45 AS263237 TO: 187.16.216.23 AS12654 ORIGIN: IGP ASPATH: 263237 52320 8048 8048 8048 8048 8048 8048 8048 8048 8048 23520 1299 269832 21980 NEXT_HOP: 187.16.222.45 COMMUNITY: 0:6939 65237:1020 ANNOUNCE 200.74.228.0/23 200.74.236.0/23 200.74.230.0/23 200.74.238.0/23 200.74.226.0/24
... continue reading