BSNL networks faced a malware attack in the second fortnight of July 2017. The attack was first detected in the company’s broadband network in Karnataka. Overall it is anticipated that a total of 60,000 broadband modems were affected. Particularly the ones that continued to use the default admin-admin username / password combination.
The attack on BSNL systems was immediately followed by an attack on MTNL routers in the capital, in the last few days of July 2017. In the case of MTNL, approximately 10,000 customers were affected over quite a few days. It is also reported that the malware affected Bharti Airtel land line broad band network, though affecting a smaller number of subscribers.
Once the malware attacked the modem, it stopped connecting to the internet automatically. The malware was able to remotely change passcodes. Even if one carried out a hard reset, the modem was not able to recover and connect to the internet. In the modems affected by the attack, the Internet access LED turned permanently to red, and one could not access the internet. Another curious aspect of it was the fact that, the malware affected only BSNL supplied / installed modems and not the ones procured by the users themselves. Implying that certain families of modems being procured by BSNL in particular were being infected by the malware. In fact on closer scrutiny it was detected that modems sourced from three vendors, namely – Syrma, Teracom and Supernet were being infected by the malware. As per MTNL CMD P K Purwar, the modems with a Taiwanese chipset were affected. Even after the modems were disinfected, quite a few of them got infected a second time, when they connected back to the internet.
Another symptom was the fact that the infected modems were redirecting the users to advertisement sites or pornographic sites. This could possibly be because of a DNS Hijack attack, which would involve an attacker first getting access to a connected device, and thereafter connecting to the router using default login credentials. Once connected to the router, the attacker can change the default DNS settings to a fake website or server of his choice. In this kind of attack the hacker could also try to directly attack the routers admin interface, using a few lines of code.
A majority of the affected users never cared to change their modem’s administration password and left it as default (admin). This negligence gave the malware access to the modem configuration page, via the user ’s external IP address. Once access had been gained, this malware or their creators could create a back door and steal the user’s data from the connected devices. There were also reports that the malware affected routers which were a part of BSNL’s National Internet Backbone (NIB). However, they were able to immediately recover the same.
As far as remediation is concerned the service providers were quite proactive. To begin with an over the phone rectification helpline was setup. The affected users were advised to keep the reset button on the modem pressed for a few seconds, to take the modem back to factory settings mode. Once the modem had gone back to its initial factory settings, it had to be reconfigured, to make it connect it to the internet. This was not a fool proof remediation technique, because over the phone reconfiguration, can be quite a challenge for many users. Thus, further compounding problems for the service provider. In addition to the above, both BSNL and MTNL started directly contacting affected users to inform them about the problem and offer advice as to how to solve the problem. In serious cases where the modem gave problems even after they were reconfigured, the service providers replaced the modems. MTNL also shared a modem guide for those users who were unable to access MTNL through any other means. The basic advice being given out by both BSNL and MTNL to all its users was the fact that, please change your default system passwords from “admin”.
The service providers also carried out other remediation activities, which were formally not disclosed to the public, but were learned from discussions on forums regarding the problems that the users were facing. For example, the users realised that Telnet and SSH access on the broadband network had been blocked across the country. In fact this was as per the US ICS-CERT alert issued in April 2017.
As far as officials of MTNL and BSNL were concerned, they did not make any disclosures about the source of the malware or who was behind it. However, the author of “BrickerBot” malware claimed ownership of the attack. The author is known as a vigilante grey-hat, who goes by the online name of “Janit0r”, this is the nickname he chose for himself in the “Hack Forum” discussion boards. This particular type of malware affects linux-based networking and IoT devices and first came to notice in the month of April 2017. In the US, Department of Homeland Security’s ICS-CERT had already issued an alert in the same month. It was generally seen that malwares which affected IoT devices used to hoard them for creating bot nets for DDoS attacks. In this case it was seen that the malware bricks the device (as in closing a passage by putting bricks in it & hence the name of the malware), by rewriting its flash storage, so that it cannot be used anymore for connecting to the internet. In majority of the cases this can be reversed, however in some cases the bricking may not be reversible. This kind of activity indicates that this malware may not be aimed towards making money or causing any real damage. The author of the malware has claimed that he has developed this malware, to bring to the notice of the ISPs that they are running unsecured devices. The author feels that by this kind of vigilante activity, he will be able to ensure that in the future there will lesser number of such unsecured devices available on the internet, for use by botnet malwares. Thus, reducing the ever increasing trend of DDoS attacks on the internet, particularly in the latter half of 2016. In fact the author of BrickerBot also said that, “BSNL devices are generally insecure, and the ISP is hiding the real situation by blaming it on customer negligence”. He brought the fact that the ISPs have hundreds / thousands of modems with unprotected TR069 (TR064) interfaces. This is the primary reason which allows a hacker to reconfigure the device for Man In The Middle (MITM) attacks or DNS hijacking, this the reason why forcing customers to change their password does not help.
- At the end of the day the malware attack appears to be the act of a vigilante grey-hat hacker, who was disturbed with the scale of DDoS attacks on the internet, using massive botnets of unsecured IoT devices. To reduce the scourge of these DDoS attacks, he took it onto himself to reduce the number of unsecured devices on the internet. This he did by making the unsecured devices unserviceable.
- Though the first detection and subsequent alert was issued in the month of April 2017, still in India a successful attack happened in July 2017. Even now there is no clear cut statement from the service providers regarding the nature of the attack, its cause and action taken. As per the spokesmen of theservice providers the source of the malware remains untraced.
- That the services of private telecom operators were not affected, possibly implies that those networks and the modems were better secured, or are simply following better security SOPs.
- These attacks have come at a time when the country has undertaken a massive push towards a digital ecosystem. The government is ensuring that a huge amount of public utility services are accessible from the government cloud on the internet. In addition to this there is also a massive drive to promote digital payments in the country. In such a situation these kind of malware attacks, which does not allow the user to access the internet itself, can become a major pain point in the country.
- Though the present government has moved all the common citizen service delivery platforms onto the cloud with its inherent security architecture, this attack, however, brings out a new vector. The attacker is not attacking the application which has been adequately secured by the latest cloud security techniques; rather the attacker has blocked the point of entry into the internet. Thus, making a fully serviceable and secure application, totally useless.
- Lastly and most important is the possibility that this action was carried out by some nefarious entity or inimical nation state to test the waters. The learnings from this attack could be used at a later date to cripple the internet, so that services of the government don’t reach the people and create large scale disenchantment with government schemes, amongst the masses. After all, the US Presidential elections have taught us how online disenchantment campaigns can swing an impending election.
- These attacks would have surely been noted by CERT – In and deliberated upon, as to the way forward and how to protect the countries internet services in future.