Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Mobile & Wireless

RIPE Account Hacking Leads to Major Internet Outage at Orange Spain 

Orange Spain’s internet went down for several hours after its RIPE account was hacked, likely after malware stole the credentials.

Orange hack

Orange Spain customers were unable to access the internet for several hours on January 3 as a result of a hacker attack that appears to have involved credentials stolen by malware.

The hacker took control of Orange Spain’s account with the RIPE Network Coordination Center (NCC). RIPE stands for Réseaux IP Européens, ‘European IP Networks’ in French. The RIPE NCC is the regional internet registry for Europe, the Middle East and parts of Central Asia, and it’s responsible for allocating and registering blocks of internet number resources to ISPs and other organizations. 

The attacker, who uses the online moniker ‘Snow’, made some changes in Orange’s RIPE account, which led to a disruption in Border Gateway Protocol (BGP) routing and significant loss in traffic. 

Some Orange customers complained about their internet connection being down for several hours on Wednesday. 

Felipe Canizares of DMNTR Network Solutions, who described it as one of the most ingenious attacks on a major internet operator, has shared a technical description of the attack (written in Spanish) on X, formerly Twitter. 

After announcing that they had gained access to Orange’s RIPE account, the hacker told the company to send a private message to get the new credentials, which Orange apparently did. 

The hacker later clarified that no ransom was demanded and they did not plan on causing an outage. They claimed their goal was to “prevent an actual bad threat actor from finding the account and compromising it”. 

Threat intelligence company Hudson Rock believes “with high certainty” that Orange Spain’s RIPE administrator account was compromised after an Orange employee had their computer infected with the Raccoon information stealer malware in September. The malware is believed to have stolen the credentials for the RIPE admin account from that employee’s device. 

Advertisement. Scroll to continue reading.

Orange Spain confirmed on X that its RIPE account had been hijacked, which affected some customers’ internet services, but said the impacted services had been restored. The company said no customer data was compromised. 

Following the incident, the RIPE NCC issued a statement saying that an investigation has been launched.

“We have restored access to the legitimate account holder [ie Orange] and are working closely with them to ensure the integrity of the account. Our Information Security team is continuing to investigate whether any other accounts have been affected. Account holders who might be affected will be contacted directly by us,” the RIPE NCC said.

“We encourage account holders to please update their passwords and enable multi-factor authentication for their accounts,” it added.

Related: Exploitation of BGP Implementation Vulnerabilities Can Lead to Disruptions

Related: BGP Flaw Can Be Exploited for Prolonged Internet Outages

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.