Orange Spain taken offline following massive cyberattack caused by “ridiculously weak” password

Orange Spain has suffered a major outage earlier this week after a threat actor going by the alias “Snow” obtained a “ridiculously weak” password for an account that manages the global routing table and controls the networks that deliver the company’s internet traffic.

Apparently, an administrator’s computer was infected by infostealing malware, which harvested the “ripeadmin” password sometime in September 2023. The threat actor then sold it on the dark web, probably to Snow. This threat actor used it to log into Orange’s RIPE NCC account.

As reported by ArsTechnica, the RIPE Network Coordination Center is one of five Regional Internet Registries responsible for managing and allocating IP addresses to Internet service providers, telecommunication organizations, and companies that manage their own network infrastructure. 

Sour Oranges

Once logged in, the hacker started making changes to the global routing table, which Orange uses to assign the traffic to different backbone providers. At first, the changes didn’t make much of a difference, but soon enough, “things got ugly”, as expert Doug Madory so vividly described in his technical writeup here

Long story short, Snow ended up turning an anti-route-hijacking tool into a denial of service for Orange users.

Orange España is the country’s second-biggest mobile operator, the media reported. In the aftermath, RIPE said it’s working on ways to improve account security.

The worst part about the incident is that Snow’s motives are yet unknown. Given the way the attacker behaved while changing the global routing table, the researchers speculate that they were simply experimenting with the access, seeing what could be done. Furthermore, there is even a chance that the attacker took things slowly in order to raise awareness of the weak password and only escalated when they saw mild reactions from the company.

More from TechRadar Pro