Major Spanish mobile carrier suffers three-hour outage after account takeover

One of Spain's biggest mobile carriers said it had restored services after a hacker caused an outage by manipulating crucial information about the company’s internet infrastructure.

Orange España acknowledged the incident Wednesday on social media, saying it had “affected some of our customers,” but that service was “practically restored” as of the evening. It was unclear if the internet outages directly affected the Madrid-based company’s mobile phone service, but overall the internet-related outage lasted about three hours.

Cybersecurity experts who examined the incident marveled at some aspects of it. Reports said that the initial breach was to the company’s account on RIPE, the regional internet register for Europe.

First reported by BleepingComputer, the breach was claimed by a hacker who boasted of the attack on Twitter. The attacker shared images of their administrative account access, and Orange España even responded to the tweet, acknowledging that it was addressing the issue.

Using the images shared, researchers at cybersecurity firm Hudson Rock traced the breach back to the computer of an Orange Spain employee “who was infected by an Infostealer earlier this year.”

“The Orange employee had their computer infected by a Raccoon type Infostealer on September 4th 2023, and among the corporate credentials identified on the machine, the employee had specific credentials to “https://access.ripe.net” using the email address which was revealed by the threat actor ([email protected]),” they found.

“It is also worth noting that the password that was used on Orange’s RIPE administrator account was ‘ripeadmin’ which is ridiculously weak.”

With access to the RIPE account, the hacker was able to disrupt how Orange’s internet addresses appeared to the Border Gateway Protocol (BGP), a cornerstone for the handling of global digital traffic. BGP is essentially a set of rules that help determine the best routes for data.

More specifically, the hacker changed the autonomous system (AS) number associated with Orange’s IP addresses. When assigned properly, AS numbers allow networks to exchange information with the rest of the internet.

In addition, the attacker created an invalid Resource Public Key Infrastructure (RPKI) configuration for Orange. RPKI is supposed to help secure BGP routing, but in this incident, the hacker used it to ensure that the switch to the AS number led to problems.

Internet access monitor Cloudflare said it observed a massive disruption to Orange’s internet access and a 50% decrease in traffic.

Orange said on social media that no client data had been compromised, and the incident “only affected the navigation of some services.”

RIPE published its own response to the controversy, writing in a statement that it is investigating the compromise of the account which “resulted in some services of the account holder being temporarily impacted.”

“We have restored access to the legitimate account holder and are working closely with them to ensure the integrity of the account. Our Information Security team is continuing to investigate whether any other accounts have been affected,” they said.

“Account holders who might be affected will be contacted directly by us. We encourage account holders to please update their passwords and enable multi-factor authentication for their accounts.”

When asked on social media why two-factor authentication was not already mandated, the organization said it is “expediting the 2FA implementation to make it mandatory for all RIPE NCC Access accounts ASAP.”

RIPE also said it plans “to introduce a variety of verification mechanisms” in the long term.