Orange Spain RIPE account is taken over by hackers, wreaking havoc on BGP
Getting your Trinity Audio player ready...

According to a company representative, the cyberattack that targeted Orange’s Spanish division on Wednesday prevented an unknown number of customers from accessing specific websites.

According to the spokesperson, Orange, the second-biggest telecom provider in Spain, has largely resolved the unauthorized access to its IP network coordination center and neutralized it.

The French company said that their customers’ data was not compromised in a message posted on social media platform X.

An RPKI configuration and BGP routing were incorrectly configured today by a hacker who gained access to Orange Spain’s RIPE account.

Border Gateway Protocol (BGP) is responsible for handling internet traffic routing. It enables organizations to link their IP addresses to the autonomous system (AS) numbers and promote them to other routers they are connected to, referred to as friends.

Networks can determine the optimal path to send traffic to a specific IP address by using the routing table that is created by these BGP advertisements and spreads to all other edge routers on the internet.

However it is possible to hijack those IP ranges and divert traffic to malicious websites or networks when a rogue network announces IP ranges that are typically associated with another AS number.

This is made possible, according to Cloudflare, by the trustless foundation of BGP and the updating of the routing table according to the advertiser with the shortest and most precise route.

Resource Public Key Infrastructure (RPKI), a new standard that serves as a cryptographic countermeasure to BGP hijacking, was developed to stop this.

“Resource Public Key Infrastructure (RPKI) is a cryptographic method of signing records that associate a BGP route announcement with the correct originating AS number,” according to a Cloudflare article about RPKI.

A network can cryptographically declare that only routers under its control can broadcast an AS number and the IP addresses that go along with it by enabling RPKI with a routing body like ARIN or RIPE.

Hacker compromises RIPE account to undermine BGP

A threat actor going by the handle “Snow” compromised Orange Spain’s RIPE account yesterday and tweeted at the company asking to speak with them about obtaining new login credentials.

Since then, the attacker has changed the IP addresses of the company linked to the AS number, enabling an erroneous RPKI configuration on them.

These IP addresses were effectively rendered ineffective for internet announcements after they were made public on someone else’s AS number and RPKI was enabled.

“Looks like what they did was make some ROA /12 records, which show who is the AUTHORITY over a prefix (i.e., the AS that can announce it)” DMNTR Network Solutions’ CTO, Felipe Cañizares.

“These grouped the /22 and /24 prefixes announced by Orange Spain, indicating that the AS that should announce that prefix was AS49581 (Ferdinand Zink trading as Tube-Hosting).”

“Once this was done, they activated RPKI on that /12… and goodbye…”

Orange Spain’s network experienced a performance issue as a result between 14:45 and 16:15 UTC, as shown in the Cloudflare traffic graph for AS12479 below.

After confirming that their RIPE account was compromised, Orange Spain started to restore services.

“NOTE: Some of our customers’ ability to browse has been impacted by improper access to the Orange account at the IP network coordination center (RIPE). “Service has nearly resumed,” tweeted Orange Spain.

“We confirm that in no case is the data of our clients compromised, it has only affected the navigation of some services.”

Although Cañizares told reporters he thinks Orange Spain did not enable two-factor authentication on the account, it is unclear how the threat actor gained access to the RIPE account.

Cañizares has started a thread on X that provides a summary of the attack’s events.

Regarding the attack, reporters contacted Orange Spain; as of right now, they have not heard back.

The threat actor revealed a hint in a screenshot shared on Twitter, revealing the email address associated with the compromised RIPE account, even though Orange Spain has not revealed how its account was compromised.

Email and the password linked to the RIPE account were discovered in a list of accounts that had been taken by malware that stole personal data, according to Alon Gal of cybersecurity intelligence firm Hudson Rock.

“The Orange employee had their computer infected by a Raccoon type Infostealer on September 4th, 2023, and among the corporate credentials identified on the machine, the employee had specific credentials to “” using the email address which was revealed by the threat actor ([email protected]),” explains research from Hudson Rock.

As per Gal’s statement, the account’s password was ‘ripeadmin,’ an extremely simple password for such an important account.

Threat actors use malware that steals information to obtain credentials for first access to corporate networks, making it the scourge of the business world.

Threat actors frequently buy stolen credentials from online marketplaces for cybercrime, which they use to break into networks and launch ransomware, cyber espionage, and data theft attacks.

For this reason, two-factor or multi-factor authentication needs to be enabled on all accounts to prevent hackers from accessing them even if they are stolen.

Leave a Reply

Your email address will not be published. Required fields are marked *