Outages that have hit hundreds of thousands of Deutsche Telekom customers in Germany since Sunday were part of a worldwide attempt to hijack routing devices, German government and commercial security experts said.
Other operators globally were targeted by the attacks, and their systems may have been compromised, executives warned at a security conference organised by Deutsche Telekom. They advised network operators to look for tell-tale signs of infected machines, such as blocked customer service features.
Deutsche Telekom, Germany's largest telecom company, said the attack caused outages for as many as 900,000 of its users, or about 4.5 percent of its 20 million fixed-line customers, but said it was thwarted before it could spread.
The attack used malicious software known as Mirai, which last month cut off access to some of the world's best known websites, including Twitter and Spotify.
Mirai can turn network devices ranging from webcams to digital recorders and internet routers into remotely controlled "bots" that can be used to mount large-scale attacks against other targets across the internet.
"This was not an attack against Deutsche Telekom. It was a global attack against all kinds of devices," said Dirk Backofen, a senior Deutsche Telekom security executive.
"How many other operators were affected, we don't know."
The German Office for Information Security (BSI) said the attack had also targeted the German government's network but had failed because defensive measures had proved effective.
"The BSI considers this outage to be part of a worldwide attack on selected remote management interfaces of DSL routers," the government agency said on its website.
Such remote interfaces, or ports, allow network technicians to fix customers' routers from afar, but have been found in certain cases to expose the equipment to outside attack. Both the attack and rapid recovery exploited this feature.
Security firm SANS Institute said it had seen a strong increase in traffic aimed at the remote management feature on broadband modems.
The Mirai malware was modified by unknown attackers to target certain models of routers used in homes and offices, but was thwarted by defensive measures designed to block malware in the Deutsche Telekom network, company executives said.
Nonetheless, these defenses had the effect of knocking affected routers offline, resulting in internet outages for nearly 1 million Telekom customers, who rely on these boxes for internet service, voice calling and online TV reception.
Telekom executives apologised to customers but warned the massive firepower created by this botnet would have overwhelmed the internet worldwide if unchecked, and still might do so.
"You can assume that somewhere in the world this attack will have been successful," Thomas Tschersich, Deutsche Telekom's head of IT security, said.
Tschersich said Telekom had notified other network operators around the world and relevant security agencies of what is known about the attack.
The outages started on Sunday and continued through Tuesday, albeit with a lot fewer crippled devices.
Telekom resells routers from more than a dozen mostly Asian suppliers under the brand Speedport.
Security experts worked late into the night on Sunday to isolate the issues among its German customers to three types of routers manufactured by Taiwan's Arcadyan Technology. The companies worked together to create a software patch which Telekom quickly tested and pushed out to users on Monday.
Arcadyan did not reply to requests for comment.
Security experts said attributing blame for the attacks may prove impossible because, while the creator of the original Mirai software showed great sophistication, its release onto the open internet in recent months means even teenaged hackers with few technical skills could be to blame for follow-on attacks.
Bruce Schneier, a US computer security expert also speaking at the Telekom conference, warned of the limited technical knowledge required to mount subsequent attacks.
"The first one uses skill, everyone else uses software", he said.
German Interior Minister Thomas de Maiziere said he did not want to speculate on who was behind the action but noted that the lines between criminal activities and state-backed security attacks can no longer be clearly drawn.
"Attacks come from private and criminal organisations, but also from states, namely Russia and China take part in such attacks," de Maiziere said in Berlin, noting that past assaults on Germany's parliament were linked to Russian state-backed hackers.
"That still can't be determined for Sunday's event."