Orange Spain customers were unable to access the internet for several hours on January 3 as a result of a hacker attack that appears to have involved credentials stolen by malware.
The hacker took control of Orange Spain’s account with the RIPE Network Coordination Center (NCC). RIPE stands for Réseaux IP Européens, ‘European IP Networks’ in French. The RIPE NCC is the regional internet registry for Europe, the Middle East and parts of Central Asia, and it’s responsible for allocating and registering blocks of internet number resources to ISPs and other organizations.
The attacker, who uses the online moniker ‘Snow’, made some changes in Orange’s RIPE account, which led to a disruption in Border Gateway Protocol (BGP) routing and significant loss in traffic.
Some Orange customers complained about their internet connection being down for several hours on Wednesday.
Felipe Canizares of DMNTR Network Solutions, who described it as one of the most ingenious attacks on a major internet operator, has shared a technical description of the attack (written in Spanish) on X, formerly Twitter.
After announcing that they had gained access to Orange’s RIPE account, the hacker told the company to send a private message to get the new credentials, which Orange apparently did.
The hacker later clarified that no ransom was demanded and they did not plan on causing an outage. They claimed their goal was to “prevent an actual bad threat actor from finding the account and compromising it”.
Threat intelligence company Hudson Rock believes “with high certainty” that Orange Spain’s RIPE administrator account was compromised after an Orange employee had their computer infected with the Raccoon information stealer malware in September. The malware is believed to have stolen the credentials for the RIPE admin account from that employee’s device.
Orange Spain confirmed on X that its RIPE account had been hijacked, which affected some customers’ internet services, but said the impacted services had been restored. The company said no customer data was compromised.
Following the incident, the RIPE NCC issued a statement saying that an investigation has been launched.
“We have restored access to the legitimate account holder [ie Orange] and are working closely with them to ensure the integrity of the account. Our Information Security team is continuing to investigate whether any other accounts have been affected. Account holders who might be affected will be contacted directly by us,” the RIPE NCC said.
“We encourage account holders to please update their passwords and enable multi-factor authentication for their accounts,” it added.