The African Network Information Centre (AFRINIC) has revealed that its board of directors has known since April 2019 that there may have been unauthorised manipulation of its WHOIS database.
MyBroadband and Ron Guilmette reported at the beginning of September that valuable Internet Protocol (IP) address blocks in AFRINIC’s jurisdiction had been misappropriated.
If you think of IP address blocks like Internet real estate, then the AFRINIC WHOIS database is like the deeds office.
At first, it appeared as though the address blocks had been stolen or squatted on by unscrupulous network operators.
Further investigation revealed that at least some of the blocks of IP addresses were stolen with the help of at least one AFRINIC insider who had altered the “title deeds” – the records in the AFRINIC WHOIS database.
The total estimated value of all of the stolen IP address blocks is over R800 million ($54.7 million).
Charges filed with the Mauritius Police
In a statement published to a public AFRINIC mailing list, the board said that the matter was reported to the Central Criminal Investigation Division of the Mauritius Police Force.
AFRINIC opened its case on 10 December 2019 — nearly a week after MyBroadband reported that the theft of valuable chunks of African Internet resources was most likely an inside job.
The AFRINIC board of directors also revealed that it has known for months that there was suspicious activity in its WHOIS database.
“The issue was first brought to the attention of the Board after the resignation of the former CEO who informed the Board that there might have been some unauthorised changes in the AFRINIC WHOIS database and that internal investigations were on-going,” the board stated.
AFRINIC announced on 30 April 2019 that former CEO Alan Barrett was stepping down and that his last day was 26 July.
Barrett confirmed that he informed the board about the manipulation of the AFRINIC WHOIS database in April. He also confirmed that before his last day in July, he submitted a report to the board.
After it received the report, AFRINIC sought the help of another Regional Internet Registry.
“The Board, in conjunction with the management led by the Interim CEO, decided to seek assistance from one of the RIRs,” the AFRINIC board said.
The AFRINIC interim CEO was Patrisse Deesse. Deesse is the director of finance and accounting at AFRINIC. He resigned from the organisation in October and is serving his notice period until 7 January 2020.
The Regional Internet Registry that AFRINIC selected to assist in its investigation was the Asia-Pacific Network Information Centre (APNIC).
“In order to ensure an independent assessment and internal investigation, APNIC was selected to lead the investigations,” the AFRINIC board stated.
“APNIC submitted a report which confirms some of the allegations [brought by former CEO Alan Barrett].”
AFRINIC declined to provide further information about the case.
“Unfortunately, we cannot, at this stage, add anything more on the matter so as not to cause prejudice to the on-going police investigation,” the board stated.
AFRINIC CEO to close security holes and suspend those implicated
The AFRINIC board said that in the meantime, it has tasked the current CEO with instituting internal measures to limit access and avoid manipulation of objects in the WHOIS database.
Eddy Kayihura took the role of AFRINIC CEO on 4 November.
Kayihura is to suspend or revoke the access of “implicated and/or suspected parties” who have access to infrastructure, services, and other resources.
“The Board is considering what additional resources would be needed during the course of the investigation and action,” AFRINIC said.