Source – Tech Times
In October, Windstream subscribers experienced a sudden and widespread failure of their routers, prompting a flood of complaints on message boards. Users reported that their ActionTec T3200 routers, provided by the ISP, had become unresponsive and displayed a steady red light, indicating a complete malfunction. Despite attempts to reboot or reset the devices, the routers remained inoperable.
One user described the situation, stating, “The routers now just sit there with a steady red light on the front. They won’t even respond to a RESET.” This sentiment was echoed by many Windstream customers, who blamed the ISP for the issue, suspecting that a pushed update had caused the mass malfunction. Windstream’s Kinetic broadband service, which serves about 1.6 million subscribers across 18 states, became a lifeline for many, making the outage particularly disruptive.
The impact was significant, with one subscriber lamenting, “We have 3 kids and both work from home. This has easily cost us $1,500+ in lost business, no TV, WiFi, hours on the phone, etc. So sad that a company can treat customers like this and not care.” In response, Windstream eventually replaced the affected routers, but the incident left many questions unanswered.
Investigation Reveals Malicious Intent
A recent report by Lumen Technologies’ Black Lotus Labs may provide new insights into the October router failures. The report, published on a Thursday, suggests that malware was responsible for taking down over 600,000 routers within a 72-hour period starting October 25. While the report does not name the ISP, the details align closely with the Windstream incident, including the specific router models, the onset date, and the static red light display.
The Black Lotus Labs researchers assert that the routers were deliberately targeted by an unknown threat actor using commodity malware known as Chalubo. This malware allowed the attacker to execute custom Lua scripts on the infected devices, leading to the permanent overwriting of the router firmware. “We assess with high confidence that the malicious firmware update was a deliberate act intended to cause an outage,” the report states, emphasizing the severe implications of such a widespread and targeted attack.
In their investigation, Black Lotus Labs utilized the Censys search engine to monitor the affected router models. They discovered a 49 percent drop in the presence of these models on one specific autonomous system number (ASN) during the incident period. This equated to at least 179,000 ActionTec routers and over 480,000 Sagemcom routers being disconnected. The researchers estimate that a minimum of 600,000 routers were affected by Chalubo, resulting in their permanent disconnection.
Mystery Malware Destroys 600,000 Routers in 72 Hours, Affecting Windstream ISP Users
Unprecedented Scale and Implications
The malware attack on Windstream’s routers marks an unprecedented scale of router destruction. The researchers noted that while there have been instances of malware targeting routers, such as the AcidRain malware in 2022 which affected 10,000 modems of satellite internet provider Viasat during the Russia-Ukraine conflict, the Windstream incident is notable for its scale and precision.
Black Lotus Labs continues to investigate the incident, and while they have not ruled out the involvement of a nation-state, they have not found any direct links to known nation-state groups. The researchers remain cautious but concerned about the potential implications of such a sophisticated and large-scale attack on internet infrastructure.
