New Details Emerge on October 2023 Cyber Attack That Permanently Destroyed 600,000 Internet Routers

by | Jun 11, 2024

A fairly major destructive cyber attack that took place over half a year ago is only just now becoming known to the public, as security research team Black Lotus Labs has revealed that an ISP in the Midwest region of the United States was targeted and about 600,000 internet routers ended up being destroyed.

The attackers did not seem to be seeking profit, intentionally targeting two particular models of internet routers that are distributed to customers by the ISP. The attack completely destroyed the firmware of these routers, requiring a fully physical replacement.

“Pumpkin eclipse” cyber attack struck during harvest season

Black Lotus has been tracking the cyber attack for some time, after a rash of complaints appeared on a number of internet forums in October 2023. The complaints all centered on two particular models of ActionTec internet routers that had suddenly stopped working, displayed a red light and would not respond to a factory reset.

As it turns out, it was the work of hackers deploying a destructive malware that renders the internet routers inoperable by overwriting the firmware permanently. But it remains unknown exactly who was behind the cyber attack, or exactly how they got access to some 600,000 of these devices. As the Black Lotus report notes, there are no published exploits for the impacted models.

It is also not clear what damage the cyber attack might have done, but the region served is mostly rural and was in the midst of harvest of numerous types of crops at the time of the attack. The outage lasted for about three days, also potentially impacting health care services in areas where residents face a drive of tens of miles for any type of medical assistance.

Mass destruction of internet routers seemingly went unreported

This is the first public notice of the breach, though forum posts from October indicated something was happening at the time. That may be owed to the fact that it was largely rural customers that were impacted, and only for a period of three days. Still, it is surprising that the mass destruction of routers issued by a particular ISP did not make the news before now.

All parties involved have also been keeping mum about the cyber attack. The Black Lotus report does not name the ISP, but Reuters is reporting that it was very likely an Arkansas firm called Windstream that mostly serves rural customers and those remote from cities. There is no statement from that company as of yet or indication that law enforcement is investigating the issue.

As to the attacker and their motivation, nothing but guesses are available at this point. The focus on destruction of internet routers in a remote area, with little possibility to make money off the attack, would point to two categories of attacker: a disgruntled insider or a nation-state attacker testing its ability to disrupt infrastructure. But Black Lotus says that it sees no indication that an APT group was involved, and the incident appears to be part of a broader worldwide campaign of cyber attacks involving the Chalubo malware that lasted from late 2023 to early 2024.

ActionTec T3200 and ActionTec T3260 internet routers are the models that are impacted, though there is not yet any indication they have an exploitable vulnerability. It is possible the attacker exploited some sort of administrative access instead. Black Lotus is advising both residential and business users of all similar routers to ensure their login credentials are strong, keep management interfaces away from internet access, and reboot routers regularly.

Recent Posts

How can we help?

4 + 14 =

× How can I help you?