600,000 routers shut down in a single cyberattack

More than 600,000 internet routers were rendered inoperable in several Midwest states due to a cyberattack between October 25 and 27 last year, according to new research published by Black Lotus Labs, the threat research arm of Lumen Technologies. The incident was not disclosed at the time, even though hundreds of thousands of routers were rendered inoperable.

The investigation also did not reveal which company was targeted, but Reuters says it has identified Arkansas-based ISP Windstream as a target based on cross-referencing of internet outages reported during the same period. Windstream, whose service area covers many rural or underserved communities, declined The Verge's request for comment.

Black Lotus Labs conducted the investigation based on repeated complaints on social media and outage detectors about specific routers, particularly the Actiontec T3200 and Actiontec T3260. Users reported that their issues were resolved only when their provider replaced the affected device.

The malicious firmware package that removed parts of the operational code on the affected routers was identified as "Chalubo," a commodity remote access Trojan. It's unclear how the firmware was sent to customers — whether through an unknown exploit, vulnerable credentials or access to administrative tools — or who was behind the attack that researchers called a "deliberate act intended to cause an outage."

While some mysteries remain, Black Lotus Labs advises organizations to secure management tools and avoid basic security vulnerabilities such as default passwords. Consumers are also encouraged to stay on top of regular security updates.