Deutsche Telekom attack part of global campaign on routers (updated)
29/11/2016 20:41
* Attack attempted to commandeer routers to crash internet
* 900,000 of 20 mln Telekom fixed network customers hit
* Operators in Brazil, Ireland and UK are vulnerable-experts
(Adds comments from security experts and operators in UK,
Ireland)
By Eric Auchard
FRANKFURT, Nov 29 (Reuters) - A cyber attack on routers of
nearly 1 million Deutsche Telekom DTEGn.DE customers is part
of a bigger campaign targeting web-connected devices around the
globe, the German government and security researchers said on
Tuesday.
The revelation from the German Office for Information
Security, or BSI, stoked fears of an increase in cyber attacks
that disrupt internet service by exploiting common
vulnerabilities in widely used routers, webcams, digital video
recorders and other web-connected devices.
That technique, which used malicious software known as
Mirai, was behind an Oct. 21 attack that stopped millions of
people in the United States and Europe reaching websites
including PayPal, Twitter and Spotify.
"This was not an attack against Deutsche Telekom. It was a
global attack against all kinds of devices," said Dirk Backofen,
a senior Deutsche Telekom security executive. "How many other
operators were affected, we don't know," he said.
Germany's Office for Information Security said government
networks were also targeted by hackers who launched Sunday's
attack on some 900,000 Deutsche Telekom customers, but
authorities succeeded in keeping systems online.
"The BSI considers this outage to be part of a worldwide
attack on selected remote management interfaces of DSL routers,"
the government agency said on its website.
Such remote interfaces, or ports, allow network technicians
to fix customers' routers from afar, but have been found in
certain cases to expose the equipment to outside attack. Both
the attack and rapid recovery exploited this feature.
Deutsche Telekom, Germany's largest telecom company, said
internet outages hit as many as 900,000 of its users, or about
4.5 percent of its 20 million fixed-line customers starting on
Sunday, but it was thwarted before it could spread.
BRAZIL, BRITAIN, IRELAND
Other operators globally were targeted by the attacks and
their systems may have been compromised, executives warned on
Tuesday at a security conference organised by Deutsche Telekom.
They advised network operators to look for tell-tale signs of
infected machines, such as blocked customer service features.
Deutsche Telekom and the German government did not identify
other victims, though cyber security firm Rapid7 Inc RPD.O
said it observed the attackers trying to infect routers across
the globe.
Irish telecom operator Eir and Vodafone VOD.L in Britain
use routers that were vulnerable to same kind of attack, Rapid7
security research manager Tod Beardsley said. "I do think we
should expect to see more of the same," he said.
Eir said in a statement it was aware of potential
vulnerabilities in two broadband modem models produced for it by
Taiwan's ZyXel Communications Corp and used by about 30 percent
of Eir customers. The two companies worked on fixing the issue.
"We have deployed of a number of solutions both at the
device and network level which will remove this risk," Eir said.
It reported the incident to Irish regulators.
Vodafone declined to comment on whether its customers had
been hit but said in a statement that it is aware of a
vulnerability affecting some broadband routers that could allow
attackers to use them to mount a denial-of-service attack.
"This issue affects the industry and we are taking all
necessary steps to protect our customers and networks."
Flashpoint, a second U.S. cyber security research firm, said
it had also found vulnerable routers in Brazil and Britain. It
did not name the affected companies or devices.
UNKNOWN ENEMY
Mirai seeks out vulnerable connected devices, then turns
them into remotely controlled "bots" for mounting large-scale
attacks on websites, networks and other connected devices.
Deutsche Telekom executives apologised to customers for the
outages but warned the this botnet would have overwhelmed the
internet worldwide if unchecked, and still might do so.
"You can assume that somewhere in the world this attack will
have been successful," Thomas Tschersich, Deutsche Telekom's
head of IT security, told experts at the conference.
Tschersich said Telekom had told other network operators and
relevant security agencies what is known about the attack.
Security experts isolated problems among its German
customers to three types of routers manufactured by Taiwan's
Arcadyan Technology 3596.TW and created a software patch which
Telekom tested and pushed out to users on Monday.
Arcadyan did not reply to Reuters' requests for comment.
Security experts said attributing blame for the attacks may
prove impossible because, while the creator of the original
Mirai software showed great sophistication, its release onto the
open internet in recent months means even teenage hackers with
few technical skills could be to blame for follow-on attacks.
German Interior Minister Thomas de Maiziere said the lines
between criminal activities and state-backed security attacks
can no longer be clearly drawn.
"Attacks come from private and criminal organisations, but
also from states, namely Russia and China take part in such
attacks," de Maiziere said in Berlin, saying that past assaults
on Germany's parliament were linked to Russian state-backed
hackers. "That still can't be determined for Sunday's event."
(Additional reporting by Jim Finkle in Boston, Harro Ten Wolde,
Ilona Wissenbach and Peter Maushagen in Frankfurt and Caroline
Copley, Andreas Rinke and Sabine Siebold in Berlin; Editing Mark
Potter/Ruth Pitchford)
((harro.tenwolde@thomsonreuters.com; +49 69 7565 1271; Reuters
Messaging: harro.tenwolde.thomsonreuters.com@reuters.net))
Keywords: DEUTSCHE TELEKOM OUTAGES/