Major Spanish mobile carrier suffers three-hour outage after account takeover

Jason Macuray
One of Spain’s biggest mobile carriers said it had restored services after a hacker caused an outage by manipulating crucial information about the company’s internet infrastructure.

One of Spain’s biggest mobile carriers said it had restored services after a hacker caused an outage by manipulating crucial information about the company’s internet infrastructure.

Orange España acknowledged the incident Wednesday on social media, saying it had “affected some of our customers,” but that service was “practically restored” as of the evening. It was unclear if the internet outages directly affected the Madrid-based company’s mobile phone service, but overall the internet-related outage lasted about three hours.

Cybersecurity experts who examined the incident marveled at some aspects of it. Reports said that the initial breach was to the company’s account on RIPE, the regional internet register for Europe.

First reported by BleepingComputer, the breach was claimed by a hacker who boasted of the attack on Twitter. The attacker shared images of their administrative account access, and Orange España even responded to the tweet, acknowledging that it was addressing the issue.

Using the images shared, researchers at cybersecurity firm Hudson Rock traced the breach back to the computer of an Orange Spain employee “who was infected by an Infostealer earlier this year.”

“The Orange employee had their computer infected by a Raccoon type Infostealer on September 4th 2023, and among the corporate credentials identified on the machine, the employee had specific credentials to “” using the email address which was revealed by the threat actor ([email protected]),” they found.

“It is also worth noting that the password that was used on Orange’s RIPE administrator account was ‘ripeadmin’ which is ridiculously weak.”

With access to the RIPE account, the hacker was able to disrupt how Orange’s internet addresses appeared to the Border Gateway Protocol (BGP), a cornerstone for the handling of global digital traffic. BGP is essentially a set of rules that help determine the best routes for data.

More specifically, the hacker changed the autonomous system (AS) number associated with Orange’s IP addresses. When assigned properly, AS numbers allow networks to exchange information with the rest of the internet.

In addition, the attacker created an invalid Resource Public Key Infrastructure (RPKI) configuration for Orange. RPKI is supposed to help secure BGP routing, but in this incident, the hacker used it to ensure that the switch to the AS number led to problems.

Internet access monitor Cloudflare said it observed a massive disruption to Orange’s internet access and a 50% decrease in traffic.

Orange said on social media that no client data had been compromised, and the incident “only affected the navigation of some services.”

RIPE published its own response to the controversy, writing in a statement that it is investigating the compromise of the account which “resulted in some services of the account holder being temporarily impacted.”

“We have restored access to the legitimate account holder and are working closely with them to ensure the integrity of the account. Our Information Security team is continuing to investigate whether any other accounts have been affected,” they said.

“Account holders who might be affected will be contacted directly by us. We encourage account holders to please update their passwords and enable multi-factor authentication for their accounts.”

When asked on social media why two-factor authentication was not already mandated, the organization said it is “expediting the 2FA implementation to make it mandatory for all RIPE NCC Access accounts ASAP.”

RIPE also said it plans “to introduce a variety of verification mechanisms” in the long term.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Joe Warminsky is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

CISA warns federal agencies of exploited Google Chrome and open-source vulnerabilities

Next Post

US military’s Cyber National Mission Force gets a new chief

Related Posts

Darcula Phishing Network Leveraging RCS and iMessage to Evade Detection

A sophisticated phishing-as-a-service (PhaaS) platform called Darcula has set its sights on organizations in over 100 countries by leveraging a massive network of more than 20,000 counterfeit domains to help cyber criminals launch attacks at scale. "Using iMessage and RCS rather than SMS to send text messages has the side effect of bypassing SMS firewalls, which is being used to great
Read More