Mysterious Cyber Attack Took Down 600,000+ Routers in the U.S.

wifi router on network concept background

Over 600,000 small office/home office (SOHO) routers have been disabled and taken offline by a destructive cyberattack, disrupting users’ internet access.

The attack was first disclosed this week by the security firm Black Lotus Labs, which did not identify the specific company affected. However, Ars Technica reports that the incident appears to have impacted an ISP called Windstream, which provides internet service to 18 states in the US Midwest and South.

The incident, named Pumpkin Eclipse by Lumen Technologies Black Lotus Labs, occurred between October 25 and 27, 2023, targeting a single U.S. internet service provider (ISP). The affected router models were ActionTec T3200, ActionTec T3260, and Sagemcom.

According to a technical report by Lumen, the attack lasted 72 hours, making the infected routers permanently unusable and necessitating hardware replacements.

This attack is notable because it resulted in the sudden loss of 49% of the ISP’s modems.

Lumen’s analysis months later identified the culprit as Chalubo, a remote access trojan (RAT) first documented in October 2018 by Sophos. The attackers likely used this malware to complicate tracking efforts. Chalubo can target all major SOHO/IoT kernels, perform DDoS attacks, and execute any Lua script sent to it. It’s believed the attackers used Lua scripts to deliver the destructive payload.

The initial method used to breach the routers is unknown, but it might have involved weak credentials or an exposed administrative interface. Once the attackers gained access, they deployed shell scripts to install Chalubo from an external server. The exact Lua script used for the destruction is still unknown.

This campaign is unusual because it targeted a single ISP’s network, unlike other attacks that target specific router models or common vulnerabilities. The reason for this targeted attack remains unclear.

“This attack was unprecedented due to the number of devices affected – over 600,000 units required replacement,” Lumen stated. “A similar event only occurred once before, with AcidRain preceding a military invasion.”

Read more about SOHO Router Attack

Back to News & Resources

Related news

    Book a free online consultation

    We love talking to businesses and understanding what they do and what they need. If you'd like to book a short, no obligation consultation, please provide us with your details. We understand that you may already have an IT company, consultant or team, so all contacts are treated as completely confidential. A fresh new IT approach could begin here...

    DD slash MM slash YYYY

    FAQs

    Get answers to common questions here.

    News & Resources

    Get latest updates, downloads and white papers.