Home Significant mystery malware attack destroys 600,000 routers

Significant mystery malware attack destroys 600,000 routers


  • Windstream subscribers faced router breakdown affecting 600,000 devices across 18 US states last October.
  • A cyber security report by Lumen Technologies' Black Lotus Labs revealed a 'destructive event' involving malware, potentially a nation-state attack.
  • Windstream has yet to provide a detailed explanation, leaving customers and security experts seeking answers about the cyberattack.

Last October, subscribers to an internet service provider called Windstream became embroiled in a mass router breakdown issue, impacting around 600,000 devices across 18 US states.

Initially, many customers blamed the company for the widespread system outage but it would later become apparent that something very different was happening after the sets were unresponsive to reboots and other attempts to restore them to working order.

Users congregated around online message boards to vent anger and express their own experiences of how the ActionTec T3200 was displaying a solid red light but very little else. From Alabama and Arkansas to Georgia and Kentucky, people were cut off from the outside world. Some detailed lost earnings as they were unable to work from home, with one Windstream subscriber stating they were down $1500 due to no WiFi and hours spent troubleshooting.

The company replaced the bricked routers but there has not been much in terms of an explanation until a recent report conducted by cyber security firm Lumen Technologies’ Black Lotus Labs.

The investigation uncovered a “destructive event” that Windstream is yet to account for.

It transpires that over 72 hours beginning October 25, malware was deployed, wiping out more than 600,000 router devices connected to a solitary autonomous system number (ASN) belonging to an unnamed ISP.

Potential nation-state attack

Coincidence? While the research team has not declared the ISP involved, the situation matches up to the mass bricking reported by Windstream’s subscribers and the timeframe of their comments on the forums.

Malware known as Chalubo was specified, which infected the routers, executing custom Lua scripts that permanently overwrote the firmware, rendering the devices redundant. 

The researchers stated, “Destructive attacks of this nature are highly concerning, especially so in this case.”

“A sizeable portion of this ISP’s service area covers rural or underserved communities; places where residents may have lost access to emergency services, farming concerns may have lost critical information from remote monitoring of crops during the harvest, and health care providers cut off from telehealth or patients’ records.”

“Needless to say, recovery from any supply chain disruption takes longer in isolated or vulnerable communities.”

The researchers noted a sophisticated threat actor is likely to be responsible, potentially a nation-state-sponsored attack, without elaborating further. After thorough analysis, the initial infection vector remains unknown, with a range of possibilities under consideration.

Windstream has still not provided a detailed response or explanation on what happened, leaving customer queries open, with security experts also seeking more answers about this significant and unique cyberattack.

Image credit: Ideogram

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Graeme Hanna
Tech Journalist

Graeme Hanna is a full-time, freelance writer with significant experience in online news as well as content writing. Since January 2021, he has contributed as a football and news writer for several mainstream UK titles including The Glasgow Times, Rangers Review, Manchester Evening News, MyLondon, Give Me Sport, and the Belfast News Letter. Graeme has worked across several briefs including news and feature writing in addition to other significant work experience in professional services. Now a contributing news writer at ReadWrite.com, he is involved with pitching relevant content for publication as well as writing engaging tech news stories.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.