Network connections over city showing cyber attack on internet routers

2023 Cyber Attack on Midwestern ISP Disabled Over Half a Million Internet Routers

A new report from Black Lotus Labs, the threat research division of Lumen Technologies, examines an October 2023 cyber attack on a small Midwestern US ISP that disabled about 600,000 internet routers for about three days.

The attack has been attributed to an older remote access trojan that was able to take out 49% of the modems from the ISP’s autonomous system number (ASN), in what is believed to be a targeted cyber attack intended to cause a prolonged outage.

Over half a million internet routers disabled in targeted destructive attack

The cyber attack unfolded from October 25th to 27th of last year, but is only now coming to light as there was no formal disclosure or detail available. The only prior indication is that residents of several Midwestern states may have noticed internet outages or disruptions during that time. The Black Lotus report does not identify the ISP that was targeted, but reporters with Reuters believe it was Arkansas-based Windstream based on outage reports from that time period.

Windstream mostly provides service to rural communities and those too remote from metro areas to be covered by larger ISPs, which may have contributed to the lack of public information about the incident prior to now. The company has not yet publicly commented on the issue.

The incident is unusual and noteworthy not just because of the scale of the outage, but the fact that the attackers seemed intent on destruction rather than any sort of financial motivation. The attackers have also not yet been identified. They made use of a commodity remote access trojan called “Chalubo” that was first spotted in action in 2018, and seemed to specifically target ActionTec T3200 and ActionTec T3260 small office/home office (SOHO) internet routers. The trojan installed a malicious firmware package that deleted operational code, with customers reporting that they were forced to replace the devices entirely.

Though it is an older trojan, Black Lotus described the deployment of it as “savvy” as it carefully obfuscated the malicious activity with encryption of communications with the command-and-control server and running in-memory only leaving no malicious or odd files to be detected. Despite being active for at least six years now, little is still  known to researchers about the Chalubo malware family due to these extremely cautious security features.

Though the focus on permanently crippling internet routes and lack of financial motivation would seem to point to possible nation-state involvement, Black Lotus says there is no clear indication of that at present. The incident appeared to be part of a global campaign of cyber attacks using Chalubo malware that unfolded in the fourth quarter of 2023 and into early 2024, though the identity and purpose of the threat actor remains unclear.

Hector Garcia, Threat Intelligence Analyst at Outpost24, notes the possibility of it being a disgruntled insider: “This attack exemplifies a well-established business model within the criminal underground: operators purchasing access to a botnet to distribute their own malware without developing their own infection tools. However, it also presents some unprecedented characteristics. While purely destructive attacks are not new, cybercriminals typically have motivations beyond wreaking havoc. There is usually an underlying reason, such as disguising a wiper as ransomware or causing disruption to facilitate military operations. This does not appear to be the case here. The lack of self-attribution to claim this as a terrorist attack or hacktivist action, and the fact that it only affected clients from a particular ISP, make this situation unique. We could be dealing with a disgruntled insider or client aiming to damage the provider’s image, or it might be a test for a more widespread attack of similar nature in the future.”

Cyber attack may have done damage to crop harvest, regional health care

The cyber attack was first discovered by Black Lotus via a major uptick in complaints about the specific ActionTec internet routers posted to various public forums in late October 2023, as customers saw their devices suddenly cease to function and display a red light. Calls to ActionTec customer service reportedly did not mention malware, but the users were told the device was essentially “bricked” and would have to be replaced as a factory reset would not resolve the issue. Windstream appeared to exchange the internet routers at their expense.

However, there is still no indication of how the attackers initially penetrated the internet routers. There are no listed OpenCVE exploits for the impacted models. The most likely explanation is that the attacker was able to access an administrative interface in some way.

The damage from the cyber attack has not been mapped out, but it potentially impacted health care facility services in the area. Telehealth visits are particularly important in rural areas, where the average distance to any kind of hospital is twice as long (about 10 miles) as it is for urban and suburban residents. Some communities in the impacted region can be as far as 30 miles from health care. The attack also landed during a harvest season for a large variety of crops.

At present there is no relevant law requiring public disclosure of this type of cyber attack, so it is also unknown  if law enforcement is investigating the issue. Black Lotus advises all users of SOHO internet routers to ensure that they are not using default passwords and that login credentials are strong, and that management interfaces cannot be reached over the internet. Both home and business users should regularly reboot their routers, and ensure that they have received the latest security updates and patches.