Cloudflare has poured cold water on a theory that the USA’s incursion into Venezuela coincided with a cyberattack on telecoms infrastructure.

The theory came from red team engineer Graham Helton who, on his personal blog noted that President Trump said the USA used “certain expertise” to turn off lights in the Venezuelan city of Caracas before the attack, and that the chairman of the Joint Chiefs of Staff, general Dan Caine, said US Cyber Command played a role too.

Helton also noted that cyberattacks are now often a prelude to kinetic warfare, as was the case when Russia illegally invaded Ukraine in 2022. So he went looking for evidence of cyber-ops in Venezuela by poring through data Cloudflare publishes on its Radar service, which records internet traffic trends and outages, and focused on AS8048 – the autonomous system number used by CANTV, Venezuela's state-owned telco.

He found evidence of oddities on January 2nd, the day before the attack.

“8 prefixes (blocks of IP addresses) were being routed through CANTV, with Sparkle (an Italian transit provider) and GlobeNet (a Colombian carrier) in the Autonomous System (AS) path,” Helton wrote, noting that Sparkle is known not to implement optimal border gateway protocol (BGP) security. Using additional data from RIPE NCC’s routing information service, he spotted further evidence of strange traffic flows to CANTV and suggested the routes chosen may have allowed for a man-in-the-middle (MITM) attack that enabled surveillance of traffic.

Helton opined that the incidents he spotted could be evidence of the electronic aspects of the attack on Venezuela mentioned by Gen Caine and hinted at by Trump.

“There is a lot of data publicly available that is worth a much deeper dive to understand exactly what happened,” he added.

• BGP’s security problems are notorious. Attempts to fix that are a work in progress
• Internet exchange points are ignored, vulnerable, and absent from infrastructure protection plans
• The fix for BGP's weaknesses has big, scary, issues of its own, boffins find
• FCC takes some action against notorious BGP

On Tuesday, Cloudflare principal network engineer Bryton Herdes took that deep dive and came up for air to post an analysis that confirmed Helton detected a BGP leak – an incident in which networks choose sub-optimal routing that means traffic flows across sclerotic links and therefore moves slowly and unreliably.

“While we can’t say with certainty what caused this route leak, our data suggests that it’s likely cause was more mundane,” Herdes wrote. “That’s in part because BGP route leaks happen all of the time, and they have always been part of the Internet — most often for reasons that aren’t malicious.”

Herdes thinks the action around AS8048 that Helton spotted represented a terrible way to run a MITM attack, because it made the route worse – and the point of these attacks is to direct traffic into danger, instead of advertising a bad route that’s best avoided.

“Leaks that impact South American networks are common,” he added, and pointed to plenty of recent leaks involving AS8048 in the last two months. “We have no reason to believe, based on timing or the other factors I have discussed, that the leak is related to the capture of Maduro several hours later,” Herdes wrote, before suggesting that CANTV “may have configured too loose of export policies,” and pointing out that the combination of a draft standard called RFC 9234 and its adoption by routing vendors would make leaks less prevalent.

All of which leaves whatever the USA did to turn out the lights in Venezuela a secret, and the notoriously flaky BGP again the villain of the piece. ®