Recently-Discovered Hack Quietly Took Down 600,000 Routers
Cybersecurity experts with Lumen Technologies’ Black Lotus Labs have identified an incident last year that disabled more than 600,000 small office or home office routers. All devices belonged to a single, unnamed internet service provider (ISP).
The report, published on Lumen Technologies’ blog, describes a 72-hour outage in October 2023. Lumen analysts identified the malware Chalubo as the source of the problem. A remote access trojan, or RAT, Chalubo obfuscates its own presence and has only been identified once in 2018.
In this case, 49% of all modems from the ISP went offline. The infected devices became inoperable and required physical replacement. At the time, customers complained that their routers could not connect to the Internet and displayed a static red light.
The attack appears to be an isolated incident and is not currently linked to any nation-states. Chalubo can launch distributed denial of service (DDoS) attacks (like the one that targeted Microsoft a few months ago), but that function was not used in this case. Lumen researchers believe the attack aimed to cause an outage.
The ISP provides internet access to many Midwestern United States, and much of its service area is rural or underserved. Lumen noted an attack like this is particularly dangerous because cuts to the internet could reduce access to emergency services, interrupt healthcare, and cause farmers to lose sensitive data on crops they remotely monitor. Luckily, no significant impact was observed in this case.
Lumen researchers described the incident as unprecedented in terms of the number of devices that needed replacing. Independent researchers similarly told Reuters that it appeared to be one of the most serious attacks against American telecommunications on record.
The trojan reached the ISP’s customers as a malicious firmware update, but further details on how the update shipped to customers or who was responsible remain unknown.
While Lumen Technologies didn’t name the impacted ISP, Reuters identified it as Windstream, a provider based in Arkansas. A Windstream spokesperson declined to comment on the incident.
Lumen Technologies provides communications services to customers in more than 60 countries, with various solutions for the cloud, networking, and cybersecurity. Black Lotus Labs is Lumen’s threat research and operations arm.