Massive Cyber Attack Cripples Over 600,000 Routers in the U.S.

A mysterious cyber attack has left over 600,000 small office/home office (SOHO) routers offline, disrupting internet access for many users in the U.S. The attack, which occurred between October 25 and 27, 2023, targeted a single internet service provider (ISP).

The affected routers include the ActionTec T3200, ActionTec T3260, and Sagemcom models issued by the ISP. The attack rendered these devices permanently inoperable, necessitating hardware replacements. During the 72-hour window, nearly 49% of all modems from the ISP’s autonomous system number (ASN) were abruptly removed from service.

While the ISP remains unnamed, evidence suggests it may be Windstream, which experienced an outage during the same period, with users reporting a persistent “steady red light” on their modems. Months later, researcher analysis identified the remote access trojan (RAT) Chalubo, a malware first documented by Sophos in 2018, as the culprit. Chalubo’s use hints at an attempt to obscure attribution rather than employing a custom toolkit.

Chalubo is known for its payloads designed for major SOHO/IoT kernels, DDoS attack capabilities, and execution of Lua scripts. It’s suspected that the attackers used Chalubo’s Lua functionality to deploy the destructive payload. The initial access method remains unclear, but it’s theorized that weak credentials or an exposed administrative interface were exploited.

Once the attackers gained access, they dropped shell scripts leading to a loader that retrieved and launched Chalubo from an external server. The specifics of the destructive Lua script used by Chalubo are unknown.

This campaign’s focus on a single ASN, unlike typical attacks targeting specific router models or common vulnerabilities, suggests deliberate targeting, though the motives remain uncertain. Lumen noted the unprecedented nature of the attack, highlighting that no previous incident required the replacement of over 600,000 devices. The only similar event involved AcidRain, which preceded an active military invasion.

To prevent similar router attacks, it’s crucial for ISPs and users to secure their network devices by changing default credentials and disabling unused services. Regularly updating firmware and applying security patches can mitigate vulnerabilities. Implementing robust network monitoring and anomaly detection systems will help in identifying suspicious activities early.