600,000 routers were bricked in a single cyberattack

Posted by
Check your BMI
Illustration of a computer screen with a blue exclamation point on it and an error box.
Photo by Amelia Holowaty Krales / The Verge
toonsbymoonlight

A cyberattack was behind an incident last year that disabled over 600,000 internet routers across several Midwest states between October 25th and 27th, according to new research published by Lumen Technologies’ threat research arm, Black Lotus Labs. The incident wasn’t disclosed at the time, despite hundreds of thousands of routers being rendered inoperable.

The investigation also didn’t specify which company was targeted, but Reuters says it has identified the target as Windstream, an Arkansas-based ISP, based on cross-referencing internet outages reported during the same period. Windstream, which has a service area covering many rural or underserved communities, declined The Verge’s request for comment.

Black Lotus Labs investigated based on repeated complaints across social media and outage detectors about specific routers, particularly the ActionTec T3200 and ActionTec T3260. Users reported their issues were resolved only by their provider replacing the affected devices.

The malicious firmware package that deleted parts of the operational code on impacted routers was identified as “Chalubo,” a commodity remote access trojan. It’s unclear how the firmware was shipped to customers — whether through an unknown exploit, weak credentials, or access to administrative tools — or who was behind the attack that the researchers called “a deliberate act intended to cause an outage.”

While some mysteries remain, Black Lotus Labs recommends that organizations secure management devices and avoid basic security weaknesses like default passwords. Consumers are also encouraged to stay on top of regular security updates.