More than 600,000 small office/home office (SOHO) routers belonging to the same ISP were rendered inoperable in a single destructive event, Lumen Technologies reports.
The impacted router models, from ActionTec and Sagemcom, were confined to the ISP’s autonomous system number (ASN), and were likely infected with Chalubo, a remote access trojan (RAT) that ensnares devices into a botnet.
The destructive incident occurred over a 72-hour period between October 25 and October 27, 2023, and impacted ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380 router models.
The unique event, Lumen says, resulted in roughly 49% of the impacted ASNs modems being taken offline, with the affected devices having to be physically replaced. Overall, roughly 179,000 ActionTec and 480,000 Sagemcom routers might have been bricked.
“We assess with high confidence that the malicious firmware update was a deliberate act intended to cause an outage, and though we expected to see a number of router make and models affected across the internet, this event was confined to the single ASN,” Lumen notes.
The threat actor responsible for the attack, Lumen says, likely chose Chalubo to deploy malicious firmware on the impacted routers to obfuscate attribution, but no evidence of overlaps between this incident and known nation-state actors, such as Volt Typhoon, has been found.
Initially discovered in 2018, the Chalubo malware ensnares devices in a botnet capable of launching distributed denial-of-service (DDoS) attacks, but also supports the execution of Lua scripts on the infected devices. After infection, the trojan resides in memory, making it difficult to detect.
Lumen discovered hundreds of thousands of Chalubo bots worldwide, each interacting with only one of the tens of malware panels the botnet operator was seen using between September and November 2023. Most of the infections are in the US.
Only one panel was used during the disruptive attack and not all Chalubo infections participated in it, suggesting that the panel might have been purchased to hinder attribution.
“This suggests that while the Chalubo malware was used in this destructive attack, it was not written specifically for destructive actions. We suspect the threat actors behind this event chose a commodity malware family to obfuscate attribution, instead of using a custom-developed toolkit,” Lumen says.
Related: US Government Urges Cleanup of Routers Infected by Russia’s APT28
Related: Sierra Wireless Router Flaws Could Expose Critical Infrastructure to Attacks
Related: Hardcoded Accounts Allow Full Takeover of Technicolor Routers
