The afternoon of Wednesday, January 3, was a hard day for Orange employees in Spain. A sudden failure was leaving many of its clients without connectivity, and far from being an infrastructure failure like the ones we are relatively used to, it was something more serious that was confirmed in the hours that followed: a hacker had hijacked the Orange account at RIPE NCC.

In this way we understood, just as in the past with Cloudflare, for example; that the incidents of certain types of suppliers and organizations, usually invisible to the end user, have consequences as serious or more than those of the infrastructure of those of us who are clients.

What exactly happened. The Orange attack involved tampering with the Internet routing system known as BGP (Border Gateway Protocol). The attacker obtained Orange credentials in RIPE NCC and this allowed him to redirect the Internet traffic of Orange customers, causing failures when accessing websites and applications.

This method is known as BGP hijacking. It involves taking control of online traffic routes to be able to intercept the data that circulates through them or, as in this case, redirect them.

What is RIPE NCC. It is the European IP Network Coordination Center, the body responsible for allocating IP addresses in Europe, as well as in some areas of the Middle East and Central Asia. It has more than 20,000 members, basically Internet access providers, governments, regulators, educational institutions, large companies and telecommunications organizations.

With its role, RIPE NCC ensures that data traffic is routed efficiently and securely through the network. If an intruder accesses one of your databases for malicious purposes, you can prevent it for a group of customers, as happened. It is based in Amsterdam, was formed in 1992 and is a non-profit organisation. Anyone can join it.

How it was made. Orange has not provided details about this attack, but an unconfirmed theory suggests that the attacker stole account credentials at RIPE NCC through a phishing attack on an employee of the operator in September 2023. This attack injected malicious software ( infostealer) that allowed you to obtain the username and password for that account.

According to the published details, it would be an extremely simple password and lacked two-factor verification, which allowed the attacker to access only with the password.

The email address Orange uses for the RIPE NCC account was published by the attacker himself, and Hudson Rock, a cybersecurity firm, says it can confirm “with great certainty” that this theory is true.

Could it happen to another operator? Of course, but it will depend on whether an attacker targets it, if he is able to obtain the operator's credentials in RIPE NCC (very possibly this has served to make everyone review their security system to preserve them) and if it has vulnerability, technical or human, that can make it possible.

A new attack like this could hijack IP addresses to redirect Internet traffic destined for the operator, and make it pass to the attackers. It could also manipulate BGP routes and intercept sensitive customer traffic or data, although Orange has assured that this did not happen with its attack.

RIPE NCC released a statement explaining that it is investigating the attack on one of its accounts, has restored access to its rightful owner, and will be contacting account holders who may have been affected.

What we can learn. Without a doubt, whether we are talking about personal accounts or corporate accounts, of any size, it is always a good idea to protect our credentials as much as possible.

First, using strong passwords. One that is too weak can be stolen in a matter of seconds or at most a few hours, either by using dictionary words or by brute force attacks.

In this demo you can check in real time how much it would cost to obtain any one. The password suggested by the theory was very weak, although it was not by brute force that the attacker obtained it.

Second, activating two-factor verification. There are many methods for this and it will be a great way to protect ourselves in the event that someone steals a password. Even the RIPE NCC itself explicitly recommends it.

Featured image | Shoaib Asif on Unsplash.