RIPE NCC Registry Investigation Report
16 May 2024
This report discloses the result of our investigation into attempts to gain control over resources held by RIPE NCC members. Please note that we do not comment on individual cases. This report is provided in the interest of transparency and provides an overview of the incidents affecting members.
Background Information
We were notified by a member that they had seen some unusual activity in their LIR account. This led us to proactively investigate multiple accounts, and our team uncovered a pattern of incidents.
RIPE NCC Access has been the target of a series of attempts to compromise the integrity of accounts. We recently published the outcome of our security investigation concerning attempts to brute force accounts and use leaked credentials to gain access to accounts. This report should be viewed independently of the security investigation report.
Findings
Our team investigated the reports of unauthorised access, detecting suspicious patterns of behaviour including unusual account updates, and, in some cases, changes to the registry by means of false documents.
Attempts were made to gain access to resources through fraud and to transfer resources without authorisation from the legitimate holders. After obtaining unauthorised access to accounts, fraudulent documents were submitted to initiate transfer processes. One member experienced an operational impact, and in two cases, resources were transferred, based on the submission of fraudulent documentation. The transfers were reverted following our investigation.
Actions Taken
In response to all reports, we used existing registry due diligence procedures in order to verify each rightful party. Once the legitimate contacts were verified:
- The verified contacts were granted access to their accounts.
- We audited their accounts to check their history and confirm which actions were legitimate.
- All unauthorised changes were reverted, including two transfers.
- Our legal analysis concluded that a report to the relevant data protection authorities was not required in this instance.
- The submission of fraudulent documents have been reported to the police in keeping with our procedures [1].
- We have terminated the membership of the party submitting fraudulent documents.
- The party submitting fraudulent documents faces a five-year membership ban.
Conclusion and Recommendations
This incident shows that we need to work closely with our members to raise awareness regarding account security best practices and heighten our monitoring. The timely identification of falsified documents shows that our due diligence framework is robust and effective. Furthermore, two-factor authentication is now mandatory for all RIPE NCC Access account holders, which should help prevent unauthorised access to accounts.
Over the recent years, we have seen increasingly sophisticated attempts by malicious actors to gain control over IPv4 address space. In 2022 alone, we undertook 219 hijack investigations and reviewed 12 disputed transfers, and in 2023, we saw 201 hijack investigations with 8 disputed transfers. We are continuously improving our monitoring and detection of suspicious activities and evolving our due diligence procedures.
We recommend that members:
- Report any suspicious activity to us immediately.
- Ensure that all contacts in their LIR account are valid and kept up to date.
- Be vigilant about the validity of their email domains and email security.
- Store account credentials in a secure manner, and to stop using shared accounts.
[1] Due Diligence for the Quality of the RIPE NCC Registration Data