Cyber Incident Victim: Mahanagar Telephone Nigam Limited
Date:
Jul 2017
Location:
India
Summary
A cyber-attack targeting Indian telecommunications providers affected over 60,000 modems and routers, causing widespread internet connectivity loss across multiple regions. The incident, attributed to the BrickerBot malware author, exploited devices with default admin credentials and hard-coded logins via open TR069 ports, primarily impacting newly installed equipment. While most devices were recoverable through password resets and technical support interventions—unlike previous irreversible BrickerBot damage—prolonged outages occurred due to simultaneous employee strikes. Service providers mitigated the attack by filtering port access, leading to a sharp decline in exposed devices. The malware's operation was described as a global cleanup effort against vulnerable infrastructure rather than a politically motivated act.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The cyber incident impacting Mahanagar Telephone Nigam Limited (MTNL) and Bharat Sanchar Nigam Limited (BSNL) commenced on July 25, 2017, when modems and routers across multiple Indian states began experiencing sustained internet connectivity failures. Affected devices displayed a persistent red LED indicator, rendering them inoperable for broadband services. Initial reports emerged from customers of both state-owned telecommunications providers, with BSNL confirming malware as the root cause of the outages. The disruption extended beyond customer premises equipment to routers within BSNL's National Internet Backbone infrastructure, though these critical network components were restored promptly. Technical staff attributed the widespread impact to malware exploiting devices retaining factory-default credentials, particularly the common "admin/admin" login combination. Service interruptions persisted through July 29, exacerbated by coinciding labor strikes that hampered BSNL's response capabilities across northeastern, northern, and southern regions of India.
BSNL quantified the operational impact at approximately 60,000 disabled modems, representing 45% of their broadband subscriber base, while MTNL did not disclose specific figures. A BSNL principal general manager later revealed that 90% of newly deployed modems were compromised, all attributable to unchanged default passwords. The malware's author, operating under the BrickerBot moniker, claimed responsibility through Bleeping Computer, identifying the attack as part of a global campaign targeting vulnerable internet-connected devices rather than a nation-specific operation. BrickerBot's mechanism involved accessing devices through open TR069 ports (port 7547) and exploiting both default and hard-coded manufacturer credentials to overwrite flash storage, temporarily "bricking" the hardware. Unlike previous BrickerBot incidents causing permanent damage, affected MTNL and BSNL customer equipment remained recoverable through password resets. Both providers implemented port filtering measures by July 29, which correlated with a sharp decline in observable attacks. Restoration efforts required extensive technical support interventions, including remote password assistance, on-site technician deployments, customer education initiatives, and field office-based modem resets. Engineers noted recurring issues where reset devices malfunctioned again upon reconnection to customer networks, suggesting potential reinfection vectors or persistent vulnerabilities in the ecosystem.