Cyber Incident Victim: Deutsche Telekom
Date:
Nov 2016
Location:
Germany
Summary
A modified Mirai botnet variant infected approximately 900,000 routers belonging to Deutsche Telekom, disrupting internet, telephony, and television services for customers. The malware exploited port 7547 via TR-069/TR-064 protocols targeting vulnerable ISP routers, leading to worm-like propagation attempts to compromise additional devices. Similar attacks affected Irish telecom customers through Eir D1000 modems, leveraging a known Metasploit exploit module. Researchers identified millions of globally exposed devices with open port 7547, indicating widespread susceptibility across multiple router models and vendors. The telecom provider released an emergency software update to mitigate infections, while security experts urged blocking the vulnerable port to prevent further exploitation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late November 2016, approximately 900,000 Deutsche Telekom customers experienced service disruptions affecting internet connectivity, telephony, and television services. The outages began around November 27 when attackers infected customer routers with a modified variant of the Mirai botnet malware. The compromised devices included specific router models: Speedport W 921V, W 723V Type B, and W 921 Fiber. Germany's National Cyber Defense Center initiated an investigation into the incident while Deutsche Telekom issued an emergency software update designed to automatically install after infected routers rebooted. Attackers exploited routers with port 7547 exposed to the internet, targeting vulnerabilities in the TR-069 and TR-064 protocols used for remote device management. These protocols, when implemented without proper authentication requirements, enabled unauthorized execution of malicious code. Security researchers confirmed the malware combined repurposed Mirai code with exploit modules to compromise devices.
Parallel incidents occurred in Ireland involving Eir D1000 modems distributed by telecom provider Eir, where approximately 182,000 devices were exposed via the same port vulnerability. Cybersecurity firm Fox-IT confirmed these routers were infected with a similar Mirai variant exhibiting worm-like propagation behavior, scanning for other vulnerable devices to expand the botnet. Analysis revealed the malware incorporated code from a publicly available Metasploit module targeting TR-064 protocol weaknesses. Shodan searches identified 41 million internet-connected devices globally with port 7547 openly accessible, while researchers cataloged approximately 50 vulnerable router models across multiple vendors and countries including TalkTalk (UK) and VIVO (Brazil). The compromised Deutsche Telekom routers did not participate in DDoS attacks but focused solely on self-propagation. Deutsche Telekom's remediation required customer devices to restart for automatic patching, though the scale of exposed devices suggested broader risks remained unaddressed across multiple ISPs and manufacturers.