An unidentified hacking group carried out a massive cyberattack on a telecommunications company in the U.S. in 2023, reportedly disabling over 600,000 internet routers.
In a new report published by Lumen Technologies’ Black Lotus Labs, security researchers claim that the mysterious attack, which was discovered in recent months, took place in late October 2023.
Over 600,000 small office/home office (SOHO) routers belonging to a single internet service provider (ISP) were taken offline.
According to the report, the incident took place over a 72-hour period between October 25 and 27, 2023, across several U.S. states. It affected three router models issued by the ISP: ActionTec T3200, ActionTec T3260, and Sagemcom F5380.
The mysterious event, codenamed “Pumpkin Eclipse” by the Lumen Technologies’ Black Lotus Labs team, rendered the infected devices permanently inoperable and required a hardware-based replacement.
During this time period, 49% of all modems were abruptly removed from the impacted ISP’s autonomous system number (ASN).
“When searching for exploits impacting these models in [vulnerability alerting platform] OpenCVE for ActionTec, none were listed for the two models in question, suggesting the threat actor likely either abused weak credentials or exploited an exposed administrative interface,” the Black Lotus researchers said in the blog post.
While Black Lotus Labs did not name the affected ISP, the particulars they report match with Arkansas-based ISP provider Windstream, which had suffered an outage around the same time. Starting on October 25, 2023, Windstream subscribers began reporting on Reddit that their routers were displaying a “static red light.”
Since a remote fix was not possible, Windstream customers were asked to return their disabled routers for new devices to restore their internet access. The routers, roughly estimated at a minimum of 600,000, were taken offline by an unknown threat actor.
Now, months later, Lumen’s analysis has identified “Chalubo,” a commodity remote access trojan (RAT) first documented by Sophos in October 2018, as the primary payload responsible for the above event. It deleted elements of the routers’ operational code and made them effectively inoperable.
Apparently, a feature built into Chalubo allowed the threat actor to execute Lua script functionality on the infected devices. The researchers believe the downloaded malware ran code that permanently overwrote the router firmware.
Lumen has not provided any details on who was behind the attack or how the firmware update was shipped to all affected customers—whether through an unknown vulnerability, weak credentials, or access to an exposed administrative interface.
According to the researchers, the potential consequences of the attack can be serious.
“We assess with high confidence that the malicious firmware update was a deliberate act intended to cause an outage. Destructive attacks of this nature are highly concerning, especially so in this case.
A sizeable portion of this ISP’s service area covers rural or underserved communities; places where residents may have lost access to emergency services, farming concerns may have lost critical information from remote monitoring of crops during the harvest, and health care providers cut off from telehealth or patients’ records,” Lumen researchers said in the report.
Although Black Lotus Labs were not able to recover the destructive module, they are monitoring the activity to prevent future attacks.
It recommends organizations managing SOHO routers to not rely upon common default passwords, and customers with SOHO routers to regularly reboot routers and install security updates and patches.
