Cyber Attack on Orange Spain: RIPE Account Hack Leads to Internet Outage

In an audacious cyberattack on the Spanish telecommunications operator Orange Spain, a disruption in internet connectivity ensued. The attack was executed by hacking into the company’s account at RIPE (Réseaux IP Européens Network Coordination Centre), leading to a disruption in the configurations of BGP (Border Gateway Protocol) and RPKI (Resource Public Key Infrastructure).

BGP plays a pivotal role in internet traffic routing, enabling organizations to associate their IP addresses with autonomous systems (AS) and announce them to other routers. However, this protocol is trust-based, and announcing IP ranges usually associated with a different AS number can result in traffic redirection to malicious sites or networks.

To thwart such attacks, the RPKI standard was devised, serving as a cryptographic solution against BGP hijacking. Through RPKI, a network can cryptographically verify that only routers under their control can announce the AS number and associated IP addresses.

A hacker, known as “Snow,” infiltrated the Orange Spain account in RIPE and altered the AS number associated with the company’s IP addresses, also enabling an invalid RPKI configuration. The attack resulted in the IP addresses no longer being properly announced on the internet, causing disruptions in Orange Spain’s network from 14:45 to 16:15 UTC.

Orange Spain confirmed the breach of their RIPE account and commenced service restoration. The company assured that customer data remained uncompromised, and the disruption only affected navigation on some services.

While Orange Spain did not disclose how their RIPE account was compromised, it is speculated that the breach occurred due to the absence of two-factor authentication. The data leakage source is suspected to be the info-stealer Racoon Stealer. According to cybersecurity firm Hudson Rock, the email and password for the RIPE account were found in a list of accounts stolen by such malware.

On September 4, 2023, a computer belonging to an Orange employee was infected with Racoon Stealer. Among the corporate credentials identified on the computer, specific login details for “https://access.ripe.net” – the email (adminripe-ipnt@orange[.]es) and password (ripeadmin), which was overly simplistic and insecure for such a crucial account, were found.

This incident underscores the paramount importance of employing two-factor or multi-factor authentication for all accounts, ensuring that even if credentials are stolen, malefactors cannot gain access to the account.