Numerous subscribers of Windstream, an Internet Service Provider (ISP), reported that their routers had suddenly stopped functioning in October 2023. These complaints flooded online forums, with users noting that their ActionTec T3200 routers, provided by Windstream, had become unresponsive despite various troubleshooting attempts.

Windstream Customers Voice Their Frustration

When your router suddenly stops working especially if you badly need it for work or any purpose, you will question if the ISP is fixing a certain issue on the other end.

As Ars Technica reported, one Windstream user shared that the routers only flashed with a steady red light and they remained unresponsive to a RESET. Apparently, this was not an isolated case.

Many customers blamed Windstream for the problem, suspecting that an update from the ISP had rendered their devices unusable. 

Windstream's Kinetic broadband service, which serves around 1.6 million subscribers across 18 states, became a critical link for families and remote workers. 

Related Article: Indian Government Issues Warning for TP-Link Wi-Fi Routers Due to Serious Security Issues

Over 600,000 Routers Affected

Security firm Lumen Technologies' Black Lotus Labs recently published a report shedding new light on the incident. Their investigation revealed that malware had taken out over 600,000 routers in a 72-hour period starting on October 25. 

While the ISP involved was not named, the details matched those reported by Windstream users, including the router models and the timing of the incident.

Deliberate Malware Attack By Chalubo

Black Lotus Labs identified that the routers were compromised by a threat actor using Chalubo, a type of commodity malware. This malware allowed the execution of custom Lua scripts, which likely included code that permanently overwrote the router firmware.

"We assess with high confidence that the malicious firmware update was a deliberate act intended to cause an outage," the report stated.

Scale of the Attack

The researchers used the Censys search engine to track the affected router models, finding that one specific Autonomous System Number (ASN) experienced a 49% drop in those models during the incident. This translated to at least 179,000 ActionTec routers and over 480,000 Sagemcom routers being disconnected. 

Despite the constant connecting and disconnecting of routers complicating the tracking process, it's estimated that at least 600,000 routers were affected by this malware.

Unique Characteristics of the Attack

Two aspects of this attack stand out. First, the sheer scale required a hardware replacement of over 600,000 devices, a precedent only seen once before with the AcidRain malware during Russia's invasion of Ukraine. 

Second, the attack was confined to a particular ASN, impacting multiple router models within a single provider's network. This specificity suggests a deliberate action by a sophisticated cyber actor.

At the time, the exact motivations behind the attack remain unclear. While the researchers have not attributed the attack to a nation-state, the level of sophistication suggests it could be possible. They have not determined the initial infection vector, though it may have involved exploiting vulnerabilities, weak credentials, or exposed administrative panels.

How to Mitigate Future Attacks

To prevent similar incidents, the researchers recommend several best practices. Since security experts have no clue as to why this sudden attack happened in the first place, all they can give at the moment is simple advice.

These include installing security updates, using strong passwords, and regularly rebooting devices. ISPs and organizations managing routers should also secure management interfaces to prevent unauthorized access.

Meanwhile, a Chinese national behind the Botnet 911 S5 scheme was charged with fraud and conspiracy. If they are proven guilty, YunHe Wang will be imprisoned for up to 65 years.

Read Also: Pegasus Malware Spying on Kremlin Critics: EU Journalists, Activists Hit: Report