Major Spanish mobile operator suffers three-hour outage after account buyout


One of Spain’s largest mobile operators says it has restored services after a hacker caused an outage by manipulating crucial information about the company’s internet infrastructure.

Orange Spain admitted the incident Wednesday on social networks, saying that this had “affected some of our customers”, but that this service had been “virtually restored” by the evening. It was unclear whether the Internet outages directly affected the Madrid company’s cellphone service, but overall the Internet-related outage lasted about three hours.

Cybersecurity experts who examined the incident amazed in some ways. Reportedly, the initial breach involved the company’s account on RIPE, the regional Internet registry for Europe.

First of all reported According to BleepingComputer, the flaw was claimed by a hacker who bragged about the attack on Twitter. The attacker sharing images of access to their administrative account, and Orange España even responded to the tweet, acknowledging that it resolved the problem.

Using the shared images, researchers at cybersecurity firm Hudson Rock retraced the breach return to the computer of an Orange Spain employee “who was infected by an Infostealer earlier this year”.

“The Orange employee had his computer infected with a Raccoon-type Infostealer on September 4, 2023, and among the company credentials identified on the machine, the employee had specific credentials for “https://access.”” using the email address that was revealed by the threat actor ((email protected)),” they found.

“It’s also worth noting that the password used on Orange’s RIPE admin account was ‘ripeadmin’, which is ridiculously weak.”

By accessing the RIPE account, the hacker was able to disrupt the way Orange Internet addresses appeared to the Border Gateway Protocol (BGP), the cornerstone of processing global digital traffic. BGP is essentially a set of rules that help determine the best routes for data.

More specifically, the hacker modified the autonomous system (AS) number associated with Orange IP addresses. When assigned correctlyAS numbers allow networks to exchange information with the rest of the Internet.

Additionally, the attacker created an invalid RPKI (Resource Public Key Infrastructure) configuration for Orange. RPKI is supposed to help secure BGP routing, but in this incident the hacker used it to ensure that switching to the AS number caused problems.

Internet access monitor Cloudflare said it observed a massive disruption to Orange’s Internet access and a 50% decrease in traffic.

Orange said on social media that no customer data has been compromisedand the incident “only affected the navigation of certain services”.

WALL published its own response to the controversy, writing in a statement that it is investigating the account compromise which “resulted in a temporary impact on certain services of the account holder.”

“We have restored access to the rightful account holder and are working closely with them to ensure the integrity of the account. Our information security team continues to investigate whether other accounts have been affected,” they said.

“Account holders who may be affected will be contacted directly by us. We encourage account holders to update their passwords and enable multi-factor authentication for their accounts.

When asked on social media why two-factor authentication wasn’t already mandatory, the organization said it “accelerates the implementation of 2FA to make it mandatory for all RIPE NCC Access accounts as soon as possible.”

RIPE also said it plans to “introduce a variety of verification mechanisms” in the long term.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Joe Warminsky

Joe Warminsky is the editor-in-chief of Recorded Future News. He has more than 25 years of experience as an editor and writer in the Washington, DC area. Most recently, he helped lead CyberScoop for over five years. Before that, he was a digital editor at WAMU 88.5, NPR’s Washington affiliate, and he spent more than a decade editing congressional coverage for CQ Roll Call.

Leave a comment