A cyber attack on routers of nearly 1 million Deutsche Telekom customers is part of a bigger campaign targeting web-connected devices around the globe, the German government and security researchers said on Tuesday. The revelation from the German Office for Information Security, or BSI, stoked fears of an increase in cyber attacks that disrupt internet service by exploiting common vulnerabilities in widely used routers, webcams, digital video recorders and other web-connected devices.
That technique, which used malicious software known as Mirai, was behind an October 21 attack that stopped millions of people in the United States and Europe reaching websites including PayPal, Twitter and Spotify. “This was not an attack against Deutsche Telekom. It was a global attack against all kinds of devices,” said Dirk Backofen, a senior Deutsche Telekom security executive. “How many other operators were affected, we don’t know,” he said.
Germany’s Office for Information Security said government networks were also targeted by hackers who launched Sunday’s attack on some 900,000 Deutsche Telekom customers, but authorities succeeded in keeping systems online.
“The BSI considers this outage to be part of a worldwide attack on selected remote management interfaces of DSL routers,” the government agency said on its website.
Such remote interfaces, or ports, allow network technicians to fix customers’ routers from afar, but have been found in certain cases to expose the equipment to outside attack. Both the attack and rapid recovery exploited this feature.
Deutsche Telekom, Germany’s largest telecom company, said internet outages hit as many as 900,000 of its users, or about 4.5 percent of its 20 million fixed-line customers starting on Sunday, but it was thwarted before it could spread.
BRAZIL, BRITAIN, IRELAND
Other operators globally were targeted by the attacks and their systems may have been compromised, executives warned on Tuesday at a security conference organised by Deutsche Telekom. They advised network operators to look for tell-tale signs of infected machines, such as blocked customer service features.
Deutsche Telekom and the German government did not identify other victims, though cyber security firm Rapid7 Inc said it observed the attackers trying to infect routers across the globe.
Irish telecom operator Eir and Vodafone in Britain use routers that were vulnerable to same kind of attack, Rapid7 security research manager Tod Beardsley said. “I do think we should expect to see more of the same,” he said.
Eir said in a statement it was aware of potential vulnerabilities in two broadband modem models produced for it by Taiwan’s ZyXel Communications Corp and used by about 30 percent of Eir customers. The two companies worked on fixing the issue.
“We have deployed of a number of solutions both at the device and network level which will remove this risk,” Eir said. It reported the incident to Irish regulators.
Vodafone declined to comment on whether its customers had been hit but said in a statement that it is aware of a vulnerability affecting some broadband routers that could allow attackers to use them to mount a denial-of-service attack.
“This issue affects the industry and we are taking all necessary steps to protect our customers and networks.” Flashpoint, a second US cyber security research firm, said it had also found vulnerable routers in Brazil and Britain. It did not name the affected companies or devices.
Mirai seeks out vulnerable connected devices, then turns them into remotely controlled “bots” for mounting large-scale attacks on websites, networks and other connected devices.
Deutsche Telekom executives apologised to customers for the outages but warned the this botnet would have overwhelmed the internet worldwide if unchecked, and still might do so.
“You can assume that somewhere in the world this attack will have been successful,” Thomas Tschersich, Deutsche Telekom’s head of IT security, told experts at the conference. Tschersich said Telekom had told other network operators and relevant security agencies what is known about the attack.
Security experts isolated problems among its German customers to three types of routers manufactured by Taiwan’s Arcadyan Technology and created a software patch which Telekom tested and pushed out to users on Monday. Arcadyan did not reply to Reuters’ requests for comment.
Security experts said attributing blame for the attacks may prove impossible because, while the creator of the original Mirai software showed great sophistication, its release onto the open internet in recent months means even teenage hackers with few technical skills could be to blame for follow-on attacks.
German Interior Minister Thomas de Maiziere said the lines between criminal activities and state-backed security attacks can no longer be clearly drawn.
“Attacks come from private and criminal organisations, but also from states, namely Russia and China take part in such attacks,” de Maiziere said in Berlin, saying that past assaults on Germany’s parliament were linked to Russian state-backed hackers. “That still can’t be determined for Sunday’s event.”