In January 2024, Orange Spain suffered a significant cyberattack that resulted in a massive disruption of its internet services. The attackers compromised an account at RIPE NCC (Réseaux IP Européens Network Coordination Centre), allowing them to manipulate the BGP (Border Gateway Protocol) and cause widespread network connectivity failures, interrupting internet access for thousands of users for several hours.
This attack was particularly severe due to Orange's importance in the Spanish telecommunications landscape. Orange is one of the leading providers of internet and telephone services in the country, with millions of users relying on its services for both personal and business communications. The disruption affected not only individual users but also numerous businesses and critical services. This article examines the impact of the attack, explains the technical details in an accessible manner, and suggests security measures to prevent similar incidents in the future.
RIPE NCC Account Hack
The incident began when an Orange Spain employee fell victim to the Raccoon malware, a type of malicious software designed to steal credentials. Raccoon is known for its ability to extract sensitive information such as passwords, cookies, and form data from infected browsers.
This malware infiltrated the employee’s computer on 4th September 2023, capturing access credentials for the RIPE account, a critical platform for internet resource management. The following screenshot shows an employee named Diego accessing the RIPE platform using the email adminripe-ipnt@orange.es and the password ripeadmin.
The stolen credentials were subsequently sold on the dark web, allowing a hacker known as "Snow" to access the account and make critical changes. The attacker used this information to alter BGP route announcements, redirecting Orange Spain’s internet traffic and causing significant service disruptions.
Although in this case the hack was due to the Raccoon malware, it could have been carried out through a different attack known as credential stuffing, as the email is listed on sites like phonebook.cz, as shown below, and the password lacked security. Credential stuffing uses combinations of usernames and passwords leaked from other data breaches to attempt access to various services.
The attack had a considerable impact on Orange Spain, affecting the company’s ability to provide internet services to its customers. For several hours, thousands of users experienced connectivity interruptions, resulting in frustration and a loss of trust in the company. Although Orange Spain assured that no customer data was compromised, the service outage highlighted significant vulnerabilities in their security infrastructure.
Simplified Technical Details
Manipulation of the BGP Protocol
The Border Gateway Protocol (BGP) is crucial for directing internet traffic, enabling networks to exchange information about the most efficient routes for data. By accessing the RIPE account, the hacker was able to change the Autonomous System (AS) numbers and associated BGP routes, redirecting Orange's traffic through incorrect routes and causing widespread disruptions.
RPKI Configuration
The Resource Public Key Infrastructure (RPKI) protocol is a cryptographic security measure designed to protect against BGP route hijacking attacks. However, by activating an invalid RPKI configuration, the attacker caused Orange's legitimate routes to be incorrectly recognised in the global network. This exacerbated the service disruptions and complicated recovery efforts.
Errors in ROA
The attacker created incorrect Route Origin Authorisations (ROA), which are used by RPKI to validate BGP routes. These incorrect records indicated that Orange's legitimate AS had no authority over its own routes, leading other routers in the network to ignore Orange's routes, thus increasing the impact of the attack.
Raccoon
Raccoon is a remote access malware specialised in stealing confidential information such as login credentials and financial data. It uses advanced techniques to infiltrate target systems, often spreading through phishing emails or malicious downloads. Once installed, Raccoon can act as a keylogger, recording the user's keystrokes to capture passwords and other sensitive information.
It can also intercept data transmitted over unsecured networks and access locally stored files. Its main objective is to collect valuable data stealthily and send it back to servers controlled by the attackers.
Security Failures
The attack on Orange Spain revealed several critical security flaws:
Weak Password: The RIPE account used a simple password, "ripeadmin," which is easily guessable and vulnerable to attacks.
Lack of Two-Factor Authentication (2FA): The absence of 2FA on the RIPE account allowed attackers to gain access using only the stolen credentials, without the need for a second form of verification.
Inadequate Password Security Management: The reuse of passwords and lack of complexity made it easier for unauthorised access to the account.
Recommended Security Measures
To prevent similar incidents in any organisation in the future, it is essential to implement the following security measures:
Two-Factor Authentication (2FA): Requiring a second factor of authentication, such as a code sent to the user's phone or an authentication app, can prevent unauthorised access even if login credentials are compromised.
Password Manager: Use password managers to create and store secure and unique passwords for each account. Password managers can generate complex combinations that are difficult to guess or break through brute force attacks. Learn about Passguard®: Password Security and Management
Secure Passwords: Implement strong password policies that require a combination of uppercase and lowercase letters, numbers, and special characters. Additionally, it is important to avoid reusing passwords across different accounts and services.
Security Monitoring and Updates: Conduct regular security audits to identify and fix vulnerabilities in the infrastructure. Keeping systems and software updated with the latest security patches is also crucial to protect against new threats.
Cybersecurity Training: Educate employees on best cybersecurity practices, including identifying phishing emails and the importance of maintaining credential security.
The attack on Orange Spain highlights the importance of adopting robust cybersecurity measures and maintaining constant vigilance against evolving threats. Implementing two-factor authentication, using password managers, and adopting secure password policies are essential steps to protect networks and sensitive data. Cyber resilience requires a combination of advanced technologies and an organisational culture focused on security.
REFERENCIAS
Kovacs, E. (2024, January 4). RIPE account hacking leads to major internet outage at Orange Spain. SecurityWeek. https://www.securityweek.com/ripe-account-hacking-leads-to-major-internet-outage-at-orange-spain/
FadilpaŠI, S. (2024, January 5). Orange Spain taken offline following massive cyberattack caused by “ridiculously weak” password. TechRadar. https://www.techradar.com/pro/security/orange-spain-taken-offline-following-massive-cyberattack-caused-by-ridiculously-weak-password
Abrams, L. (2024, January 4). Hacker hijacks Orange Spain RIPE account to cause BGP havoc. BleepingComputer. https://www.bleepingcomputer.com/news/security/hacker-hijacks-orange-spain-ripe-account-to-cause-bgp-havoc/
Hackean la cuenta de RIPE de Orange España con la contraseña ripeadmin. (n.d.). Blog elhacker.NET. https://blog.elhacker.net/2024/01/hackean-la-cuenta-de-ripe-de- orange-uni2-espana.html
El Centro Vasco de Ciberseguridad. (2021). RACCOON BCSC-MALWARE-RACCOON. En El Centro Vasco de Ciberseguridad. https://www.zibersegurtasun.eus/sites/default/files/2022-04/bcsc-malware-raccoon-tlpwhite2780.pdf
Las imágenes usadas en esta nota fueron tomadas respectivamente de: https://x.com/CiberPoliE