900,000 Routers Knocked Offline in Germany amid Rumors of Cyber-Attack

For two days now, over 900,000 routers belonging to Deutsche Telekom users in Germany have been knocked offline following a supposed cyber-attack.

First problems appeared on Sunday, November 27, at around 17:00, local time, when users started complaining that they couldn't connect online using their standard Deutsche Telekom router.

While the issue subsided after two hours on Sunday, today, on Monday, starting at 08:00, the same problem reappeared, and many users complained about the lack of any service from Deutsche Telekom, Germany's biggest telecommunications provider.

Users all over Germany are affected

The company, which provides various services to around 20 million customers, said on Facebook that it fixed the issue at around 12:00, local time.

Despite this, users kept complaining and reported similar connectivity issues even after Deutsche Telekom's announcement.

The downtime affected customers all over the country, not just in a specific area, according to a map by Allestoerungen.de.

The affected routers weren't only providing Internet access to Deutsche Telekom users, but they also ensured fixed telephony and television services as well.

Telco provider blames downtime on hackers

In statements to Germany media, the company blamed the incident on hackers and said it was working with equipment vendors to fix the issue and provide a software patch.

On Facebook, Deutsche Telekom engineers recommended that users unplug their devices, wait for 30 seconds and restart their router. If the equipment fails to connect to the company's network, engineers told users to disconnect their device from the company's network permanently.

To compensate the downtime, Deutsche Telekom is offering free mobile Internet until the technical problem is resolved.

Routers can't connect to Deutsche Telekom's network

The incident seems to be a technical issue that prevents the equipment from connecting to Deutsche Telekom's infrastructure. Deutsche Telekom didn't provide technical details about the affected router make and model.

With the large number of router worms and IoT malware going around today, it may be possible that one such strain had infected the router model distributed by Deutsche Telekom to its customers.

A bug in the malware's exploit code might have caused the issue that prevented equipment from connecting to the provider's servers, but at this stage, this is only speculation.

Because the story was ongoing at the time of publishing, we have a series of details that came to light post-publication.

UPDATE 1: Minutes after we published our article, a report from ISC Sans highlighted an increase in scans and exploitation attempts for a SOAP Remote Code Execution (RCE) vulnerability via port 7547 against Speedport routers, which are widely deployed in Germany by Deutsche Telekom. The same issue affects Eir D1000 wireless routers (rebranded Zyxel Modem) deployed by Irish ISP Eir, albeit there are no signs that these routers are actively exploited.

UPDATE 2: A report released by BadCyber links the attempts to exploit Eir D100 (Zyxel Modems) via port 7547 to the infamous Mirai IoT malware.

UPDATE 3: Deutsche Telekom is currently rolling out firmware updates. The advice the company's engineers gave on Facebook earlier today, for users to power down their devices and restart after 30 seconds, was meant to force routers to fetch the new firmware during the bootup process.

UPDATE 4: Security researcher MalwareTech says the Mirai botnet attempting to exploit Deutsche Telekom's network is the infamous "Botnet #14" that has attempted to bring down Internet connection in Liberia. In a previous article, we linked traced some connection between Botnet #14 and a DDoS-for-hire service advertised via Jabber spam. BestBuy, one of the hackers behind the service, said they were in possession of the SOAP RCE vulnerability that was used against the Deutsche Telekom routers, but he denied of being behind the exploitation attempts that brought down the telco's infrastructure.

UPDATE 5: Malware experts at Kaserpsky Lab have also confirmed a version of the Mirai IoT malware is behind the attacks on Deutsche Telekom routers.

UPDATE 6: Deutsche Telekom has issued an official statement on the attacks.