ClickCease Orange Spain Outage: BGP Traffic Hijacked by Threat Actor

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Orange Spain Outage: BGP Traffic Hijacked by Threat Actor

Wajahat Raja

January 19, 2024 - TuxCare expert team

In a recent cybersecurity incident, Orange Spain faced a significant internet outage on January 3, 2024. A threat actor, going by the name ‘Snow,’ exploited vulnerabilities in the company’s RIPE account. The Orange Spain outage resulted in the misconfiguration of Border Gateway Protocol (BGP) routing and the implementation of an invalid Resource Public Key Infrastructure (RPKI) configuration.


The BGP Traffic Hijack


The internet’s traffic routing relies on Border Gateway Protocol (BGP), allowing organizations to associate their IP addresses with autonomous system (AS) numbers. These associations are then advertised to connected routers, known as peers, forming a routing table. This table guides the optimal route for directing traffic to specific IP addresses.

However, malicious actors can exploit BGP’s trust-based structure. By falsely announcing IP ranges associated with another AS number, they can redirect traffic to malicious destinations. Cloudflare notes that BGP relies on trust, updating the routing table based on the shortest and most specific route provided by advertisers.

Introducing RPKI: A Solution to BGP Hijacking


To counter BGP hijacking, a cryptographic solution called Resource Public Key Infrastructure (RPKI) was introduced. RPKI associates BGP route announcements with the correct originating AS number. Enabling RPKI with a routing body like ARIN or RIPE allows a network to cryptographically certify that only routers under their control can advertise an AS number and its associated IP addresses.

Orange Spain Outage

Orange Spain service disruption unfolded when the threat actor ‘Snow’ compromised Orange Spain’s RIPE account. After breaching the account, Snow modified the AS number associated with the company’s IP addresses and enabled an invalid RPKI configuration. By creating false Route Origin Authorization (ROA) records, Snow indicated that a different AS number (AS49581) should announce Orange Spain’s IP address prefixes. Activating RPKI on these false records disrupted proper internet announcements. This resulted in noticeable Orange Spain network issues.

Orange Spain’s Response and Recovery

Acknowledging the
BGP routing incident, Orange Spain took swift action to restore services and confirmed the unauthorized access to its RIPE account. In a tweet, the company assured users that no client data was compromised as a result of the internet service provider outage, emphasizing the impact on service navigation only.

Internet Infrastructure Security

The method through which the threat actor breached the RIPE account remains uncertain. Felipe Cañizares, CTO of DMNTR Network Solutions, speculated that Orange Spain might not have implemented two-factor authentication on the account.

Credentials Compromised through Information-Stealing Malware

While Orange Spain did not disclose the specifics of the
telecom network outage, cybersecurity intelligence revealed that the threat actor cyber attack, Snow, obtained the account credentials through information-stealing malware. Hudson Rock’s research traced the compromise back to an infected computer on September 4th, 2023. The compromised credentials, including the email address ([email protected]) and the password (‘ripeadmin’), were found in a list of accounts stolen by the malware.

Hacker’s Admission and Motivation

Snow later confirmed the ease with which they accessed the account, highlighting the questionable password security. In a post on Twitter/X, Snow mentioned finding the credentials in public leaks of stolen data, emphasizing the absence of two-factor authentication. When asked about their motivation, the hacker claimed to have done it for the “lulz” or laughs.

Orange Spain Incident Analysis

In response to the
Orange Spain outage, RIPE conducted an investigation, restored Orange’s account, and urged users to enable multi-factor authentication. RIPE emphasized the importance of updating passwords and enabling additional security measures, reinforcing the need for a multi-layered defense against cyber threats.

In light of such incidents, it becomes imperative for all accounts, especially those with critical access like RIPE accounts, to have multi-factor authentication enabled. This additional layer of security ensures that even if credentials are compromised, unauthorized access becomes significantly more challenging for threat actors.


Orange Spain outage highlights the vulnerability of critical internet infrastructure and the importance of proactive cybersecurity measures. Threat actors often exploit stolen credentials to gain initial access to corporate networks, leading to various cyber threats, including data theft, espionage, and ransomware attacks. 

Implementing robust cybersecurity in telecommunications, such as RPKI and multi-factor authentication, is crucial in safeguarding against potential threats ensuring the resilience and continuity of online services.

The sources for this piece include articles in The Hacker News and Bleeping Computer


Orange Spain Outage: BGP Traffic Hijacked by Threat Actor
Article Name
Orange Spain Outage: BGP Traffic Hijacked by Threat Actor
Discover the impact of the Orange Spain outage as a threat actor hijacks BGP traffic. Learn about the breach and steps for a swift recovery.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter