Local firms fall victim as millions of IP addresses stolen

Read time 3min 20sec

Over 4.1 million Internet Protocol (IP) addresses belonging to African companies were stolen and inappropriately used, according to an internal audit conducted by the African Network Information Centre (AFRINIC).

The report, which was recently made public, is the outcome of an internal audit conducted by Mauritius-based AFRINIC, which is responsible for the allocation and management of Internet numbers (IPv4, IPv6 and ASNs) on the African continent.

According to the audit, over 4.1 million valuable IP addresses from AFRINIC’s pool of resources had been stolen, misappropriated and attributed to organisations without any justification.

The audit notes legacy resources that could have been compromised include IP addresses belonging to dozens of South African companies, including Sasol South Africa, the Free State Department of Education, Anglo American, Nedbank, Link Data Group, Woolworths and Nampak.

The findings of the internal audit follow investigations which commenced in July 2019, when AFRINIC’s board of directors commissioned an inquiry to be conducted into what is labelled the “IP address heist”, upon receipt of a court order from the Supreme Court of Mauritius, following an application made by the US Federal Investigation Bureau.

The findings of the investigation also reveal that “internal employees of AFRINIC may have, without any lawful authority, acted in collusion with other third-parties on the unlawful misappropriation of IPv4 resources, held by AFRINIC, which resulted in prejudice to the company and by extension to AFRINIC’s resource members and its community at large.

“The analysis of the records related to these IPv4 addresses and correspondence with the resource-holders found that dormant resources (ie, those resources not visible in routing tables) were mainly targeted; e-mail domains were also transferred as part of the ‘sale’ of IPv4 resources, thus rendering it almost impracticable to contact the initial source-holder. Maintainer passwords also appeared to have been handed over to subsequent buyers,” notes the AFRINIC audit.

One-year ‘quarantine’

AFRINIC notes that since February 2020, out of the total compromised IP resources, around 1 060 864 IPv4 addresses have been reclaimed; ie, deregistered from the AFRINIC WHOIS database, and are presently in ‘quarantine’ for a period of 12 months.

Following the ‘quarantine’ period, the resources may be added to AFRINIC’s pool of resources available for new allocations.

AFRINIC holds an inventory of all the Internet number resources that it administers, through the WHOIS database, a public database that contains information about registered IP address space, autonomous system numbers and routing policies.

It notes that almost 1 800 000 IPv4 addresses, deemed to be legacy addresses, appeared to have already been compromised and actions have been taken to contact the source-holders.

Furthermore, a total of 1 310 720 IPv4 resources are yet to be reclaimed due to ongoing diligence being carried out.

While the reversals and consolidations exercise was conducted by AFRINIC following a strict due diligence procedure, the IP management entity acknowledged there is nothing that prevents an aggrieved party from initiating legal actions against AFRINIC.

“AFRINIC acknowledges that the rate of reversals – ie, re-instating the records in the AFRINIC WHOIS database to its status immediately prior to the purported unauthorised changes occurred − has been very slow. In fact, a fair proportion of these resources have a ‘pending’ status and the reason being that the custodianship of these resources is being claimed by more than one organisation, thus giving rise to a dispute in respect thereof.”

Pending the determination of the rightful custodianship of these resources either between the disputants and/or a competent authority, these IPv4 addresses have been kept ‘locked’ and no further changes can be effected on the WHOIS database, says AFRINIC.

See also