What starting position does this attack require?

The first step is Control / compromise an AS (T1583) — a resource development primitive. Assumed environment: attacker controls (legitimately or via compromise) a BGP-speaking AS that peers with major transit.

What is the final impact of this kill-chain?

The final step lands on Announce more-specific victim prefix (NET-BGP-HIJACK), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

BGP prefix hijack → traffic interception

From a compliant origin AS, announce a more-specific or origin-spoofed prefix belonging to the victim. Internet routing converges on the attacker AS; traffic for that prefix flows through attacker for inspection / DoS.

Filed by AD Knowledge BasePublished 2026-05-27

§ Kill-chainDrag · zoom · scroll

Resource Development

Control / compromise an AS

T1583 · Acquire Infrastructure

Credential Access

Intercept / decrypt / DoS the traffic

T1557 · Adversary-in-the-Middle

Credential Access

Force certificate issuance via captured ACME validation

T1556 · Modify Authentication Process

Credential Access

Internet routes converge to attacker AS

T1040 · Network Sniffing

Lateral Movement

Announce more-specific victim prefix

NET-BGP-HIJACK · BGP Route Hijack

§ Context

Assumed environment: attacker controls (legitimately or via compromise) a BGP-speaking AS that peers with major transit. RPKI ROAs not enforced by most peers — common for many regional ISPs.

§ Steps

01
Control / compromise an ASResource Development
T1583— Acquire Infrastructure
02
Intercept / decrypt / DoS the trafficCredential Access
T1557— Adversary-in-the-Middle
03
Force certificate issuance via captured ACME validationCredential Access
T1556— Modify Authentication Process
04
Internet routes converge to attacker ASCredential Access
T1040— Network Sniffing
05
Announce more-specific victim prefixLateral Movement
NET-BGP-HIJACK— BGP Route Hijack

§ References

§ Frequently asked

What is the "BGP prefix hijack → traffic interception" attack path?: From a compliant origin AS, announce a more-specific or origin-spoofed prefix belonging to the victim. Internet routing converges on the attacker AS; traffic for that prefix flows through attacker for inspection / DoS. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Control / compromise an AS (T1583) — a resource development primitive. Assumed environment: attacker controls (legitimately or via compromise) a BGP-speaking AS that peers with major transit.
What is the final impact of this kill-chain?: The final step lands on Announce more-specific victim prefix (NET-BGP-HIJACK), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

BGP prefix hijack → traffic interception

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

5G core GTP-U user-plane injection → subscriber MITM

Reconfigure MFP LDAP → harvest service-account credentials