Last October, subscribers to an internet service provider called Windstream became embroiled in a mass router breakdown issue, impacting around 600,000 devices across 18 US states.
Initially, many customers blamed the company for the widespread system outage but it would later become apparent that something very different was happening after the sets were unresponsive to reboots and other attempts to restore them to working order.
Users congregated around online message boards to vent anger and express their own experiences of how the ActionTec T3200 was displaying a solid red light but very little else. From Alabama and Arkansas to Georgia and Kentucky, people were cut off from the outside world. Some detailed lost earnings as they were unable to work from home, with one Windstream subscriber stating they were down $1500 due to no WiFi and hours spent troubleshooting.
The company replaced the bricked routers but there has not been much in terms of an explanation until a recent report conducted by cyber security firm Lumen Technologies’ Black Lotus Labs.
The investigation uncovered a “destructive event” that Windstream is yet to account for.
It transpires that over 72 hours beginning October 25, malware was deployed, wiping out more than 600,000 router devices connected to a solitary autonomous system number (ASN) belonging to an unnamed ISP.
Potential nation-state attack
Coincidence? While the research team has not declared the ISP involved, the situation matches up to the mass bricking reported by Windstream’s subscribers and the timeframe of their comments on the forums.
Malware known as Chalubo was specified, which infected the routers, executing custom Lua scripts that permanently overwrote the firmware, rendering the devices redundant.
The researchers stated, “Destructive attacks of this nature are highly concerning, especially so in this case.”
“A sizeable portion of this ISP’s service area covers rural or underserved communities; places where residents may have lost access to emergency services, farming concerns may have lost critical information from remote monitoring of crops during the harvest, and health care providers cut off from telehealth or patients’ records.”
“Needless to say, recovery from any supply chain disruption takes longer in isolated or vulnerable communities.”
The researchers noted a sophisticated threat actor is likely to be responsible, potentially a nation-state-sponsored attack, without elaborating further. After thorough analysis, the initial infection vector remains unknown, with a range of possibilities under consideration.
Windstream has still not provided a detailed response or explanation on what happened, leaving customer queries open, with security experts also seeking more answers about this significant and unique cyberattack.
Image credit: Ideogram