* Attack attempted to commandeer routers to crash internet
* Deutsche Telekom says routers made by Arcadyan affected
* 900,000 of 20 mln Telekom fixed network customers hit
* Outages a result of Telekom network defending against
(Adds comments from minister, Telekom execs, details)
By Eric Auchard
FRANKFURT, Nov 29 Internet outages that have hit
hundreds of thousands of Deutsche Telekom customers
in Germany since Sunday were part of a worldwide attempt to
hijack routing devices, German government and commercial
security experts said on Tuesday.
Other operators globally were targeted by the attacks and
their systems may have been compromised, executives warned on
Tuesday at a security conference organised by Deutsche Telekom.
They advised network operators to look for tell-tale signs of
infected machines, such as blocked customer service features.
Deutsche Telekom, Germany's largest telecom company, said
the attack caused internet outages for as many as 900,000 of its
users, or about 4.5 percent of its 20 million fixed-line
customers, but said it was thwarted before it could spread.
The attack used malicious software known as Mirai, which
last month cut off access to some of the world's best known
websites, including Twitter and Spotify.
Mirai can turn network devices ranging from webcams to
digital recorders to internet routers into remotely controlled
"bots" that can be used to mount large-scale attacks against
other targets across the internet.
"This was not an attack against Deutsche Telekom. It was a
global attack against all kinds of devices," said Dirk Backofen,
a senior Deutsche Telekom security executive. "How many other
operators were affected, we don't know," he said.
The German Office for Information Security (BSI) said the
attack had also targeted the German government's network but had
failed because defensive measures had proved effective.
"The BSI considers this outage to be part of a worldwide
attack on selected remote management interfaces of DSL routers,"
the government agency said on its website.
Such remote interfaces, or ports, allow network technicians
to fix customers' routers from afar, but have been found in
certain cases to expose the equipment to outside attack. Both
the attack and rapid recovery exploited this feature.
The Mirai malware was modified by unknown attackers to
target certain models of routers used in homes and offices, but
was thwarted by defensive measures designed to block malware in
the Deutsche Telekom network, company executives said.
Nonetheless, these defences had the effect of knocking
affected routers offline, resulting in Internet outages for
nearly 1 million Telekom customers, who rely on these boxes for
internet service, voice calling and online TV reception.
Telekom executives apologised to customers but warned the
massive firepower created by this botnet would have overwhelmed
the internet worldwide if unchecked, and still might do so.
"You can assume that somewhere in the world this attack will
have been successful," Thomas Tschersich, Deutsche Telekom's
head of IT security, told experts at the conference.
Tschersich said Telekom had notified other network operators
around the world and relevant security agencies of what is known
about the attack.
The outages started on Sunday and continued through Tuesday,
albeit with a lot fewer crippled devices.
Telekom resells routers from more than a dozen mostly Asian
suppliers under the brand Speedport.
Security experts worked late into the night on Sunday to
isolate the issues among its German customers to three types of
routers manufactured by Taiwan's Arcadyan Technology.
The companies worked together to create a software patch which
Telekom quickly tested and pushed out to users on Monday.
Arcadyan did not reply to Reuters' requests for comment.
Security experts said attributing blame for the attacks may
prove impossible because, while the creator of the original
Mirai software showed great sophistication, its release onto the
open internet in recent months means even teenaged hackers with
few technical skills could be to blame for follow-on attacks.
Bruce Schneier, a top U.S. computer security expert also
speaking at the Telekom conference, warned of the limited
technical knowledge required to mount subsequent attacks: "The
first one uses skill, everyone else uses software", he said.
German Interior Minister Thomas de Maiziere said he did not
want to speculate on who was behind the action but noted that
the lines between criminal activities and state-backed security
attacks can no longer be clearly drawn.
"Attacks come from private and criminal organisations, but
also from states, namely Russia and China take part in such
attacks," de Maiziere said in Berlin, noting that past assaults
on Germany's parliament were linked to Russian state-backed
hackers. "That still can't be determined for Sunday's event."
(Additional reporting by Harro Ten Wolde, Ilona Wissenbach and
Peter Maushagen in Frankfurt and Caroline Copley, Andreas Rinke
and Sabine Siebold in Berlin; Editing by Keith Weir and Mark