By Karla Reffold

Spain’s largest mobile carrier, Orange, had services interrupted for three hours this week after a threat actor was able to gain access to their internet infrastructure. Orange stated that no customer data was impacted and only some of their services were disrupted.

The breach has been traced to stolen employee credentials. Their access included access to RIPE, an internet registry for Europe. This allowed the threat actor to disrupt their internet addresses, access to their internet traffic, and ultimately their services. Orange has confirmed that multi-factor authentication (MFA) was not in place on this account and that they are currently undergoing a process to install MFA across their business. A weak password for their admin account was also revealed.

While an attack of this nature in Europe may not appear directly relevant to US companies, this attack highlights two growing trends within cybersecurity that insurance carriers may want to be aware of −  the targeting of specific employees and the targeting of cloud or internet hosting companies.

This attack targeted a high-value employee who had access to critical business systems. While it has not been stated if this employee was targeted directly or if the threat actor was lucky with the compromise that was made, we see this trend in multiple attacks. Different techniques were deployed in the attack, but there are similarities here to the MGM attack where specific employees were targeted. Employees with high-level IT access or the ability to transfer money are often the most targeted.¹

A breach on a hosting company can cause significant damage to victims, due to the level of access this provides to a company’s infrastructure. In August 2023, two Danish cloud-hosting companies were victims of cyber attacks leaving them facing risk of bankruptcy as they struggled to recover.² GoDaddy announced a multi-year campaign against them almost a year ago.³ Cloud hosting provider Wasabi also finds itself in the news this week as they are sued by two hospitals. The hospitals accuse Wasabi of hosting data stolen from them, on behalf of ransomware group LockBit.⁴ This is not the first time a cloud company has been accused of providing services to cyber criminals. Cloudzy was accused of hosting multiple threat actors in August 2023.⁵

This attack may highlight growing areas of focus for threat actors as company defenses become more sophisticated. However, security basics including password management and MFA remain relevant here.

1 https://expertinsights.com/insights/which-of-your-employees-are-most-at-risk-of-cyber-attacks/
2 https://www.helpnetsecurity.com/2023/08/24/cloudnordic-azero-ransomware/
3 https://www.csoonline.com/article/574557/godaddy-connects-a-slew-of-past-attacks-to-a-multiyear-hacking-campaign.html
4 https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-29th-2023-lockbit-targets-hospitals/
5 https://therecord.media/iran-company-providing-ransomware-infrastructure