Large chunks of Internet Protocol address space in Africa were stolen with the help of at least one insider at AFRINIC. That was the conclusion of Internet investigator Ron Guilmette after five months of detective work.
The primary function of the African Network Information Centre (AFRINIC) is to assign IP address blocks, and keep track of those assignments. If IP address space is like Internet real estate, then AFRINIC is the deeds office.
AFRINIC maintains a database of IP address blocks and makes it publicly available through the “WHOIS” standard.
Guilmette analysed the information in the AFRINIC WHOIS database and concluded that the records of many IP address blocks were manipulated by one or more bad actors.
This happened between 2010 and 2016, Guilmette found, and allowed whoever manipulated the blocks to take control of them.
It is estimated that the affected IP address blocks are worth around $54 million (R800 million).
Some of the affected IP address blocks are so-called “legacy” blocks – Internet resources that were legitimately assigned to various companies more than 20 years ago, but which had been forgotten and abandoned.
Separate from the legacy blocks, there are also several cases of freshly-assigned address blocks which Guilmette believes were illicitly taken from AFRINIC’s “free pool” – its inventory of available IPv4 addresses.
“In several cases involving both groups of blocks – legacy and non-legacy – there are subtle but clear indicators in the relevant official WHOIS records that, if followed like a trail of breadcrumbs, all appear to lead back to Mr Ernest M. Byaruhanga,” Guilmette said.
Byaruhanga was the second employee to be hired at AFRINIC in 2004, after former CEO and Internet Hall of Famer Adiel Akplogan.
In addition to the information in the WHOIS database, documents obtained from industry sources and public records in Uganda also lead back to Byaruhanga, Guilmette said.
One document shows that in 2012, a Ugandan company called Amiek Holdings Limited received $2,500 for the sale of a block of IP addresses to a South African email provider.
A query to the government-run Ugandan registrar of companies revealed that Byaruhanga and his immediate family are the shareholders of Amiek Holdings.
Following MyBroadband’s report about the theft of IP addresses from the African region, AFRINIC announced that it has reported the matter to the Central Criminal Investigation Division of the Mauritius Police Force.
AFRINIC stated that before he resigned, former CEO Alan Barrett had alerted the board that the WHOIS database may have been tampered with.
Barrett confirmed to MyBroadband that he informed the board about the manipulation of the AFRINIC WHOIS database in April 2019. He submitted a report to the AFRINIC board about the matter before his last day in July.
After Barrett’s report, the AFRINIC board launched its own investigation into the allegations that someone had tampered with its WHOIS database.
AFRINIC stated that it has sought the help of another regional Internet registry, the Asia-Pacific Network Information Centre (APNIC), to help with its independent investigation.
AFRINIC CEO to close security holes
The AFRINIC board said that in the meantime, it has tasked the current CEO with instituting internal measures to limit access and avoid manipulation of objects in the WHOIS database.
Eddy Kayihura took the role of AFRINIC CEO on 4 November.
Kayihura is to suspend or revoke the access of “implicated and/or suspected parties” who have access to infrastructure, services, and other resources.
“The board is considering what additional resources would be needed during the course of the investigation and action,” AFRINIC said.
Kayihura said that they approached APNIC for help because AFRINIC and APNIC have a good working relationship.
“APNIC, like all the other RIRs, have the capacity and are always willing to help,” Kayihura said. “APNIC were willing and ready to do it the moment we asked.”
MyBroadband contacted Byaruhanga for comment. Several attempts were made to contact Byaruhanga by phone and email, but he did not respond.
Kayihura told MyBroadband that neither AFRINIC staff members nor its directors are allowed to operate IP brokerages.
“This is against our policies, principles of ethics and standards,” Kayihura said.
“Hence, AFRINIC will not hesitate to take such action as it may deem fit against any of its staff or directors who are found to have breached those standards.”
MyBroadband also contacted former AFRINIC CEO Adiel Akplogan for comment. Akplogan said he was not aware of IP addresses being stolen and sold on the black market.
An in-depth report, which contains a detailed account of the research conducted into how these IP address blocks were stolen, has been published on MyBroadband.
Several of the key documents from which Guilmette drew his conclusions are also included in the report.