Hacker Bricks 600,000 Routers In Just 72 Hours
An unidentified attacker has been confirmed as effectively bricking more than 600,000 routers from a single internet service provider through a malicious firmware update. Customers have reported that the routers simply stopped working, displaying a solid red light and refusing to reboot.
Security researchers from the Black Lotus Labs at Lumen Technologies have published a detailed analysis of the highly unusual incident that occurred during a 72-hour period in October 2023. In what the report describes as a destructive event, the small office/home office internet routers identified as being ActionTec T3200 models were rendered “permanently inoperable and required a hardware-based replacement.”
The researchers said that a scan revealed 49% of all modems were suddenly removed from the ISP’s autonomous system number, a collection of Internet Protocol routing prefixes belonging to a single network operator.
DDoS Attack Used Chalubo Trojan To Inject Malicious Firmware Update
It appears that the attack was launched using a remote access trojan named Chalubo, which was first spotted in 2018. Known to include payloads that are customized for SOHO routers and Internet of Things devices, Chalubo can execute malicious scripts to perform a Distributed Denial of Service attack.
“We suspect the threat actors behind this event chose a commodity malware family to obfuscate attribution, instead of using a custom-developed toolkit,” the researchers said. However, the motive for the attack remains unclear, and Black Lotus Labs say that no “known nation-state activity clusters” were found to be associated with it.
That said, the researchers have confirmed “with high confidence” that this wasn’t an accident but a deliberate act with the intention of causing an internet outage—a denial of service event, in other words.
Publication Names Windstream As Impacted Internet Service Provider
Although the Black Lotus Labs report doesn’t name the ISP involved, Ars Technica has reported it as being Windstream. This is based upon details obtained from Windstream subscribers during the same time period in October as well as the impacted router models being identical.
I have reached out to Windstream for a statement. It is understood that customers impacted by this attack were provided with new routers as soon as possible.