Cyber Incident Victim: Bharat Sanchar Nigam Limited
Date:
Jul 2017
Location:
India
Summary
A cyber-attack utilizing BrickerBot malware disrupted internet connectivity for over 60,000 modems and routers belonging to a major Indian telecom provider and another state-owned operator, primarily impacting devices with unchanged default credentials. The malware exploited open TR069 ports and hard-coded logins, causing prolonged outages across multiple regions until technical teams implemented port filtering and conducted mass password resets via remote support, on-site assistance, and customer tutorials. While the incident temporarily disabled nearly half of the provider's broadband connections and repeatedly affected reset devices upon reactivation, the bricking was reversible in this case—unlike prior BrickerBot infections—with no permanent hardware damage reported.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident impacting Bharat Sanchar Nigam Limited (BSNL) and Mahanagar Telephone Nigam Limited (MTNL) began on July 25, 2017, when users across multiple Indian states reported losing internet connectivity as their modems and routers became unresponsive with a persistent red LED indicator. The disruption continued until July 29, affecting devices belonging to customers of both state-owned telecommunications providers. BSNL confirmed malware was responsible for the downtime, which also temporarily impaired routers within its National Internet Backbone infrastructure, though these were restored promptly. An internal technical team member disclosed that modems in northeast, north, and south India were compromised, with BSNL estimating approximately 60,000 devices—representing 45% of its broadband connections—lost connectivity. MTNL did not disclose its impact figures. The outage’s duration was exacerbated by a concurrent employee strike at BSNL, delaying recovery efforts. Initial analysis revealed the malware targeted devices retaining factory-default credentials (admin/admin), a vulnerability BSNL publicly acknowledged on July 28 while urging over 2,000 users to change passwords. By July 30, a BSNL executive reported that 90% of newly installed modems were affected but declined to specify totals. Technical support teams worked throughout the week to assist customers with password resets via phone guidance, on-site visits, and online tutorials, while field offices offered immediate modem restoration services. Engineers noted recurring malfunctions in some reset devices when reactivated at customer premises.
The malware was identified as BrickerBot, a strain designed to “brick” Linux-based networking equipment by corrupting flash storage. Its creator claimed responsibility, disclosing exploitation of TR-069 protocol ports (specifically port 7547) and hard-coded credentials beyond default logins to compromise devices. Unlike prior BrickerBot infections causing irreversible damage, BSNL and MTNL devices were recoverable through firmware resets. Attack intensity diminished after both providers implemented port 7547 filtering, with a security researcher observing a sharp decline in exposed devices by mid-week. The actor characterized the incident as an unintended consequence of a global campaign targeting vulnerable network blocks, denying political motives. BSNL declined official comment, while MTNL could not be reached for response. Connectivity was largely restored by July 29, though residual technical challenges persisted with reactivated hardware. No permanent infrastructure damage or data breaches were reported.