Mystery Malware Destroys 600,000 Routers From a Single ISP During 72-Hour Span
Arthur T Knackerbracket has processed the following story:
One day last October, subscribers to an ISP known as Windstream began flooding message boards with reports their routers had suddenly stopped working and remained unresponsive to reboots and all other attempts to revive them.
[...] In the messages-which appeared over a few days beginning on October 25-many Windstream users blamed the ISP for the mass bricking. They said it was the result of the company pushing updates that poisoned the devices. Windstream's Kinetic broadband service has about 1.6 million subscribers in 18 states, including Iowa, Alabama, Arkansas, Georgia, and Kentucky. For many customers, Kinetic provides an essential link to the outside world.
[...] A report published Thursday by security firm Lumen Technologies' Black Lotus Labs may shed new light on the incident, which Windstream has yet to explain. Black Lotus Labs researchers said that over a 72-hour period beginning on October 25, malware took out more than 600,000 routers connected to a single autonomous system number belonging to an unnamed ISP.
While the researchers aren't identifying the ISP, the particulars they report match almost perfectly with those detailed in the October messages from Windstream subscribers. Specifically, the date the mass bricking started, the router models affected, the description of the ISP, and the displaying of a static red light by the out-of-commission ActionTec routers. Windstream representatives declined to answer questions sent by email.
According to Black Lotus, the routers-conservatively estimated at a minimum of 600,000-were taken out by an unknown threat actor with equally unknown motivations. The actor took deliberate steps to cover their tracks by using commodity malware known as Chalubo, rather than a custom-developed toolkit. A feature built into Chalubo allowed the actor to execute custom Lua scripts on the infected devices. The researchers believe the malware downloaded and ran code that permanently overwrote the router firmware.
We assess with high confidence that the malicious firmware update was a deliberate act intended to cause an outage, and though we expected to see a number of router make and models affected across the internet, this event was confined to the single ASN," Thursday's report stated before going on to note the troubling implications of a single piece of malware suddenly severing the connections of 600,000 routers.
[...] A Black Lotus representative said in an interview that researchers can't rule out that a nation-state is behind the router-wiping incident affecting the ISP. But so far, the researchers say they aren't aware of any overlap between the attacks and any known nation-state groups they track.
Read more of this story at SoylentNews.