German telecom giant Deutsche Telekom has confirmed that the connectivity problems some 900,000 of its customers experienced on Sunday are the result of a hack attempt.
“Following the latest findings, routers of Deutsche Telekom costumers were affected by an attack from outside. Our network was not affected at any time. The attack attempted to infect routers with a malware but failed which caused crashes or restrictions for four to five percent of all routers. This led to a restricted use of Deutsche Telekom services for affected customers,” the company explained.
“According to our knowledge, an attack on maintenance interfaces is currently taking place worldwide. This was also confirmed by the Federal Office for Information Security.”
In order to mitigate the attack, Deutsche Telekom implemented a series of filter measures to their network, and has provided a firmware update for the targeted routers: Speedport W 921V and Speedport W 723V Typ (Type) B. The update should prevent this particular malware/attack from succeeding and from accidentally (or deliberately?) creating a denial-of-service situation.
“Currently, a software update is provided to all affected customers to fix the router problem. The software rollout already started and we can see the success of this measure,” the company noted, and instructed affected customers to unplug their router for 30 seconds, as the reboot clears the malware from the device.
Apparently, this particular piece of malware is loaded in the device’s memory, which is wiped after a reboot. The infamous Mirai malware is similarly loaded into target IoT devices, and can be removed by rebooting them.
This latest attack was likely just another attempt to rope users’ devices into a botnet.
After the routers are plugged in and turned on again, the new software will be installed automatically from the servers, but if it’s not, it can be downloaded from here.
Deutsche Telekom has offered a free day Internet pass to affected customers who are also mobile customers of the company, and has instructed the rest of them to contact them for help.
UPDATE: Kaspersky Lab researchers say that the malware attacking Deutsche Telekom customers’ routers is a variant of the Mirai malware.