Cyber Incident Victim: Sierra Tel
Date:
Apr 2017
Location:
United States of America
Summary
A Californian ISP experienced a widespread outage when customers lost internet and telephone connectivity due to a malicious hacking event targeting specific modem models. The attack compromised Zyxel HN-51 devices, rendering them unable to connect to the network, prompting the provider to replace or repair affected hardware amid overwhelming demand that led to operational delays. Evidence suggests conflicting IoT malware families, including BrickerBot—which disables unsecured devices by overwriting storage—and potentially Mirai, contributed to the disruption. The incident highlighted vulnerabilities in modem control interfaces, previously exploited in similar attacks. The provider collaborated with law enforcement to investigate the breach while addressing customer impacts through extensive hardware remediation efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On April 10, 2017, Sierra Tel customers in Mariposa and Oakhurst, California, experienced widespread internet and telephone service outages. Initial unconfirmed reports suggested a botched firmware update, but Sierra Tel confirmed the incident as a "malicious hacking event" targeting Zyxel HN-51 modems in an April 11 statement. The compromised modems became unable to connect to Sierra Tel's network, prompting the ISP to initiate a modem replacement program. Customers formed long lines at Sierra Tel offices to exchange devices, but the company exhausted its replacement inventory within hours. Sierra Tel then transitioned to collecting affected modems for repair, promising customers callback notifications upon completion. The company resolved the incident nearly two weeks later, announcing on April 22 via Facebook that repairs were nearly finished for all impacted devices.
The outage was linked to conflicting activity between BrickerBot and another malware family, potentially Mirai, according to BrickerBot's creator Janit0r. BrickerBot's "Plan B" sequence—which attempts to secure devices before irreversibly damaging them if unsuccessful—aligned with the observed modem failures requiring physical repairs. Janit0r confirmed BrickerBot's presence on Sierra Tel's network during the outage but noted concurrent malware infections complicated attribution. The incident mirrored previous attacks on Deutsche Telekom and UK ISPs involving Zyxel modems compromised through TR-069 control interface vulnerabilities, which Mirai had historically exploited. Sierra Tel acknowledged collaborating with law enforcement to identify the attackers but did not publicly confirm the specific malware responsible. Cybersecurity firm Radware subsequently reported new BrickerBot variants with enhanced destructive capabilities, though these emerged after Sierra Tel's incident resolution. The ISP received praise from Janit0r for transparency in disclosing the hack but faced criticism for inadequate network security practices, particularly failing to filter control interfaces from external internet access.