A hacker has hacked the RIPE account of the Spanish provider Orange and modified the BGP routing and RPKI validation. As a result, many of the provider’s customers lost connections and could no longer reach many websites.

Orange Spain confirms on X that the outage started on January 3. The provider confirms that it was only a connection problem. A hacker who calls herself Ms Snow, claims responsibility for the hack. She allegedly gained access to the RIPE admin account that Orange used to arrange BGP routing. Snow says in a follow-up tweet that she gained access to that account because its security was ‘very questionable’. Snow found the credentials in a data dump from an older botnet. Orange allegedly used ripeadmin as the password and did not set up two-step authentication.

Security company Hudson Rock, which investigated the hack, also confirms the latter. According to Hudson Rock, an Orange employee’s computer was infected with the Raccoon malware. It filters out data from machines.

The attacker managed to modify the Border Gateway Protocol via RIPE. BGP is a protocol that routes traffic between two routers or between a router and a provider. It tells a provider which network belongs to which IP address and can, for example, find the fastest route between those different networks. BGP was the cause of a major outage at Facebook that lasted for hours in 2021, about which Tweakers wrote an article explaining it at the time. Something similar happened this week at Orange via RIPE, a public database of IP addresses and autonomous system– or AS numbers. Orange managed its BGP infrastructure via RIPE. After hacker Snow gained access to Orange’s RIPE settings, she was able to modify the BGP configuration.

The hacker did this by changing Orange’s AS number. Then she committed an invalid RPKI configuration. That Resource Public Key Infrastructure standard is a cryptographic way to validate BGP routing; An RPKI certificate checks whether a BGP routing corresponds to the correct AS number. By adjusting the RPKI configuration, Orange’s BGP routing no longer worked properly. Certain IP addresses were therefore no longer reachable, meaning that the provider’s customers were temporarily unable to reach large parts of the internet.

Snow called on Orange X to contact her to obtain new RIPE administrative credentials. Ultimately, the outage only lasted a few hours. It is not known whether Orange itself restored the BGP routing or whether it had contact with the hacker.