Global internet attack
November 29, 2016
Deutsche Telekom's head of IT security and the German Office for Information Security (BSI) said on Tuesday that the outages appeared to be tied to a botched attempt to commandeer customers' routers to disrupt internet traffic around the world.
"The BSI considers this outage to be part of a worldwide attack on selected remote management interfaces of DSL routers," the government agency said on its website.
Dirk Backofen, a senior Deutsche Telekom security executive told a conference jointly organized by the company and BSI on Tuesday, the attack was not an attack against Deutsche Telekom. "It was a global attack against all kinds of devices. How many other operators were affected, we don't know," he said.
Over the past two days, the German communications company was the target of a failed hacking attempt on consumer router devices. Deutsche Telekom confirmed that around 900,000 customers had their broadband disconnected - about 4.5 percent of its customer base. Customers experienced disruptions to broadband connections, including mobile line, TV or internet services.
Mirai worm
Deutsche Telekom said the issues seemed to be connected to an attempt to make a number of customers' routers part of the Mirai botnet.
Mirai is malware that attempts to turn network devices into remotely controlled bots. These bots can ultimately be used for large-scale DDoS attacks against other targets across the internet. Last month, Mirai cut off access to some of the world's best known websites, including Twitter and Spotify.
Deutsche Telekom officials said the Mirai malware was modified by unknown attackers to target certain models of routers used in homes and offices. But the attempt was thwarted by defensive measures designed to block malware in the Deutsche Telekom network. Nonetheless, these defenses had the effect of knocking affected routers offline.
The German Office for Information Security (BSI) said the attack had also targeted the German government's network but had failed because defensive measures had proved effective.
Attack successful elsewhere?
BSI as well as Deutsche Telekom said they presumed that other operators globally were targeted by the attacks and their systems might have been compromised. They warned the massive firepower created by this botnet would have overwhelmed the internet worldwide if unchecked, and still might do so.
"You can assume that somewhere in the world this attack will have been successful," said Thomas Tschersich, Deutsche Telekom's head of IT security.
The German experts advised network operators to look for tell-tale signs of infected machines, such as blocked customer service features.
No smoking gun
At the Deutsche Telekom conference, security experts said attributing blame for the attacks may prove impossible. While the creator of the original Mirai software had shown great sophistication, its release onto the open internet in recent months meant that even less knowledgeable hackers could engineer follow-on attacks.
Bruce Schneier, a top US computer security expert told the conference: "The first one uses skill, everyone else uses software."
German Interior Minister Thomas de Maiziere said he did not want to speculate on who was behind the action but noted that the lines between criminal activities and state-backed security attacks could no longer be clearly drawn.
"Attacks come from private and criminal organizations, but also from states, namely Russia and China take part in such attacks," de Maiziere said in Berlin, noting that past assaults on Germany's parliament were linked to Russian state-backed hackers. "That still can't be determined for Sunday's event," he added.
uhe/kd (Reuters, AFP, dpa)