Hackers Infect Army of Cameras, DVRs for Massive Internet Attacks

Closely held OVH confirmed the attack, but declined to comment further.

“We’re thinking this is the tip of the iceberg,” said Dale Drew, head of security at Level 3 Communications Inc., which runs one of the world’s largest internet backbones, giving it a window into many of the attacks that cross the net.

The proliferation of internet-connected devices from televisions to thermostats provide attackers a bigger arsenal of weapons to infiltrate. Many are intended to be plugged in and forgotten. These devices are “designed to be remote controlled over the internet,” saidAndy Ellis, security chief at network operator Akamai TechnologiesInc., some of whose clients were affected. “They’re also never going to be updated.”

Experts have long warned that machines without their own screens are less likely to receive fixes designed to protect them. Researchers have found flaws in gadgets ranging from “smart” lightbulbs to internet-connected cars. Wi-Fi routers are a growing source of concern as many manufacturers put the onus on consumers to do the updating.

Level 3 identified cameras and video recorders made by Chinese manufacturer Dahua Technology Co. as the sources of a large share of the recent attacks, but Level 3 said other devices are being roped into a new attack network currently being assembled. Hackers often hijack the machines through computers that are already infected or poorly protected Wi-Fi routers.

A Dahua spokeswoman said on Thursday the company is still reviewing Level 3’s research. She cautioned that malware could succeed in attacking older devices that have outdated software.

“We strongly recommend users to upgrade the firmware of devices” and set a strong password to reduce risks, she added.

Dahua, which claims it is one of the world’s biggest makers of security cameras and digital recorders, sells directly to consumers and businesses through its website and retailers like Amazon.com Inc. It also lists 71 technology partners on its U.S. website, from startups like AngelCam to better known firms like Canon Inc.

Many of Dahua’s cameras and recorders are used by small businesses for security systems. Level 3 said H.264 DVRs made by Dahua were especially prevalent, though security researchers said other brands were affected. In some cases the devices weren’t protected with passwords or had generic passwords, Mr. Drew said.

“I suspect that a lot of people have been caught by surprise by how soon” the attacks happened, said Akamai’s Mr. Ellis. His company said it was blindsided by one of last week’s attacks.

Mr. Ellis said traffic on Sept. 20 reached 700 gigabits a second—equivalent to 140,000 high-definition movies streaming at once—on his company’s network, twice the size of the previous biggest stream.

Arbor Networks Inc., a security firm that defended several websites affiliated with the Rio Olympics against similar attacks this summer, found cable set-top boxes and home routers used to bombard the websites with data. Those attacks reached as much as 540 gigabits a second, Arbor said.

“There are tens and tens of millions of these embedded devices out there,” said Roland Dobbins, Arbor’s principal engineer. “But they ship by default with very poor security.”

Denial-of-service attacks—so-called because they flood websites with unwanted data crashing the sites and denying access to legitimate users—are nothing new. In prior iterations, hackers have exploited weaknesses in the operating systems of personal computers hijacking them to carry out these actions. Microsoft Corp.for decades has been playing a running game of Whac-A-Mole to patch each flaw in its Window’s operating system as it arises.

“It’s going to be very difficult to convince consumers to patch their refrigerator,” said Matthew Prince, chief executive of security provider CloudFlare Inc. “Where the security is more likely to be placed is in the network.”

Write to Drew FitzGerald at andrew.fitzgerald@wsj.com