Menu
Browse

Cyber Threat Actor: The Doctor

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Activist
India
3 incidents
Profile

The threat actor known publicly as The Doctor and as the author of BrickerBot is associated with India, where the individual or group has been linked to several disruptive incidents targeting networking equipment. The actor’s aliases reference the BrickerBot malware family, which is recognized for overwriting storage on exposed Internet of Things devices to render them inoperable. Public reporting ties the actor to attacks that exploit devices retaining factory default credentials, hard‑coded login details, and open TR069 management ports, indicating a focus on poorly secured consumer‑grade hardware.

Targeting has been observed primarily within the telecommunications sector, affecting major Indian telecom providers and a state‑owned operator, as well as a Californian Internet service provider. The actor’s stated objective, as described in connection with the Indian telecom incident, is to conduct a global cleanup effort against vulnerable infrastructure rather than to pursue financial gain, espionage, or political aims. This positions the activity as a form of disruptive intent aimed at removing insecure devices from the network, with the side effect of causing widespread connectivity loss for legitimate users. The actor’s typical tactics involve gaining initial access through default or hard‑coded credentials on devices exposed via TR069, then deploying BrickerBot to overwrite storage and brick the equipment; the malware’s effect can be reversed when the device is reflashed or its credentials are reset, as seen in the Indian telecom case where no permanent hardware damage was reported.

Representative operations include the July 2017 campaign that disrupted service for over 60,000 modems and routers belonging to Indian telecom firms, exploiting open TR069 ports and default logins to trigger widespread but recoverable outages. Another notable event occurred in April 2017 when a Californian ISP suffered an outage after BrickerBot—potentially alongside Mirai—compromised Zyxel HN‑51 devices, prompting hardware replacement and repair efforts amid significant customer impact. These incidents illustrate the actor’s reliance on IoT‑focused malware that leverages credential weaknesses and management‑plane exposure to achieve disruptive effects on broadband infrastructure.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
0 sources