Nearly a million customers with German cable network Deutsche Telekom were hit by network outages on Sunday following a large scale cyber-attack.
The disruptions were blamed on a failed hacking attempt to hijack consumer router devices for a wider internet attack.
Deutsche Telekom said that as many as 900,000, or about 4.5 per cent of its 20 million fixed-line customers, suffered internet outages starting on Sunday and continuing into Monday, when the number of affected users began to decline sharply.
The outages appeared to be related to a botched attempt to turn a sizeable number of customers’ routers into a part of the Mirai botnet, according to Thomas Tschersich, head of IT security at Deutsche Telekom.
“In the framework of the attack, it was attempted to turn the routers into a part of a botnet,” he said.
Mirai is malicious software designed to turn network devices into remotely controlled ‘bots’ that can be used to mount large-scale network attacks. Last month, hackers used it to unleash an attack using common devices like webcams and digital recorders to cut access to some of the world’s best-known websites.
“Whether this attack could have been prevented depends on what type of vulnerability was used to infect the routers,” said Alex Mathews with cyber security firm Positive Technologies.
“For example, Mirai botnet code wasn’t too serious: the malware was looking for gadgets with well-known default passwords (admin: admin, root: password, and so on).
“If people had just changed these default passwords, their routers wouldn’t have been infected. On the other hand, the malware authors can use more serious, unknown vulnerability in routers’ firmware or in communication protocols.
“In this case, users hardly can do anything to protect themselves. Only serious security tests can detect such vulnerability. It should be done by service providers and by routers’ manufacturers… but unfortunately, they don’t do enough safety testing.”
Telekom resells routers from more than a dozen mostly Asian suppliers under the brand Speedport. It offered firmware updates on Monday to three models, all of which are made by Taiwan’s Arcadyan Technology.
The German network operator will be reviewing its cooperation with Arcadyan following the outage, Tschersich told Tagesspiegel.
The network monitoring site Allestoerungen.de (Breakdown) reported tens of thousands of complaints across Germany ranging from Berlin, Hamburg and Duesseldorf in the north to Frankfurt, Stuttgart and Munich in the south.
The site showed outages began to surge on Sunday afternoon and peaked after about two hours before picking up again on Monday.
Telekom said on Monday its security measures appeared to be taking effect and the number of customers affected had declined to around 400,000 by 1200 GMT on Monday.
German security officials said the outages looked like the work of hackers, several government sources said.
The company suggested that users having connection problems unplug their router, wait 30 seconds and then restart their device. But if problems continued, the network operator advised them to disconnect their equipment from the network.
Deutsche Telekom said the rest of its customers could use its fixed-line network without any issues.
Stephen Gates, chief research intelligence analyst at NSFOCUS, said: “Most people don’t know that all broadband service providers have ensured they have backdoors into ‘their’ customer-edge devices, which can be cable modems, DSL modems, routers, etc.
“The reason for this is simple. It ensures people don’t get services for free, while at the same time allowing the provider access into the remote devices for troubleshooting, updating, billing, etc. This helps reduce truck rolls and the associated costs. In this case, it appears that hackers have figured out a way to capitalise on the backdoor, and cause a noteworthy denial of service outage.”
An open source ‘hack-proof’ router was unveiled last month that automatically updates and patches vulnerabilities as they become known.