The second largest communication operator in Spain, Orange Espagne, experienced nearly a four-hour failure as a result of a compromise of the administrator’s account. This incident affected the service for its 11 million subscribers. The breach occurred due to the use of a predictable password for the RIPE NCC registrar interface, coupled with the absence of two-factor authentication.
It was discovered that the password for RIPE was intercepted during a malware attack on one of the employees, and compromised passwords were subsequently being sold on the black market. Notably, there are thousands of other accounts for connecting to Access.Ripe.net, which could be vulnerable to similar attacks.
The incident went unnoticed until January 2nd when an intruder accessed the RIPE NCC web interface and made changes to the BGP (Border Gateway Protocol) and RPKI (Resource Public Key Infrastructure) settings. These changes impacted the telecom operator’s routing, causing approximately half of their traffic to be rerouted. Furthermore, the attacker created several new RPKI ROA (Route Origination Authorization) records, including large blocks of Orange Espagne’s address to an unknown autonomous system. This resulted in legitimate BGP announcements from the operator’s own autonomous system being blocked by multiple trunk operators. As a result, the number of BGP routes attached to Orange Espagne was reduced from 9200 to 7400, and the traffic nearly doubled.
RPKI (Resource Public Key Infrastructure) is a security measure used to authorize BGP announcements. It allows verification of whether an announcement is from a genuine network owner or not. By building a chain of trust from IANA to regional registrars, providers, and end consumers, RPKI ensures that resource operations are legitimate. Without proper authorization, an operator can manipulate routing and reroute traffic through their own system, potentially leading to security risks and bypassing filtering mechanisms.