Hundreds of thousands of routers of a US provider destroyed
In just 72 hours, half of all customers of US provider Windstream went offline. Hundreds of thousands of routers had to be replaced. The ISP remains silent.
Symbolic image showing none of the affected devices.
At the end of October, hundreds of thousands of routers at US internet service provider Windstream went offline. Within three days, around half of its customers lost their internet access. Their routers were suddenly useless and had to be replaced. Resets did not work. The ISP serves just under 1.2 million households and tens of thousands of businesses in 18 US states, mainly in rural areas. According to security researchers Lumens, a malicious update of the router firmware, infiltrated with malware called Chalubo, was to blame.
Several things are strange about the alarming incident: Only routers from this one ISP were affected, but then models from two different manufacturers: Actiontec T3200s and Actiontec T3260s as well as Sagemcom routers, Lumen suspects the F5380 model. A scan by Lumen's security research department Black Lotus Labs on October 24 shows 875,000 Sagemcom routers, 230,000 from ActionTec and 136,000 from other manufacturers at Windstream. Three days later, all Actiontec devices are offline, and less than 90,000 of the Sagemcom fleet remain. Instead, the group of others has grown by a good 360,000.
Motive unclear
Black Lotus conservatively estimates the number of affected Windstream customers at 600,000, but it was probably around one million. Did a (former) employee seek revenge? Were criminals trying to blackmail Windstream? Was it an attack by another state on US infrastructure? Was it a coincidence of two centrally deployed, faulty updates?
Did the attacker try to take over the routers to abuse them, but accidentally ruin them in the process? Black Lotus reports having observed incoming commands for DDoS attacks that were not executed by the devices. But why would such a perpetrator focus on a single ISP and not attack the same models on different networks?
Windstream as mute as a fish
And how was Windstream able to connect 360,000 new routers at lightning speed? The company remains silent. Even heise security was told succinctly, "we don't have a comment." As the company is no longer listed on the stock exchange, it does not have to explain itself publicly. And because the Republican Party, in its fight against net neutrality, has stripped the telecom regulator FCC of jurisdiction over ISP regulation, regulatory oversight is also lacking – even though an incident of such magnitude affects national security.
(Image: Black Lotus Labs by Lumen)
The FCC only regained jurisdiction in April and can now begin to set security standards. The first step is to take measures to secure the Border Gateway Protocol, which would not help here.
Black Lotus was unable to find out exactly how the perpetrators got into the Windstream routers. The keys used for communication with control servers have been known since 2018. The perpetrators have reused them unchanged. Ultimately, the researchers' recommendations are of a general nature: install updates, restart routers regularly and change default passwords. Administrators of router fleets must ensure that their management systems are well secured and inaccessible from the internet.
Unknown extent
Such a massive, successful attack on an ISP has never been reported before. Only the Russian sabotage of the KA-Sat satellite network on February 24, 2022, an hour before the invasion of Ukraine, is comparable. This also affected remote control systems for wind turbines in other European countries. In terms of the number of connections, however, this crime was one to two orders of magnitude smaller than the destruction caused at Windstream.
Windstream was created in 2006, when the fixed network parts of the network operator Alltel were merged with those of the Valor Communications Group to form Windstream. The year before, Alltel had taken over Western Wireless. Voicestream Wireless, now known as T-Mobile USA, emerged from Western Wireless in 1999. In a way, Windstream and T-Mobile USA are bases.
In Austria, Western Wireless owned the price-breaker mobile operator tele.ring, which was also taken over by T-Mobile in 2006. Windstream became insolvent in 2019, reduced its debt by several billion dollars in insolvency proceedings, and has been privately owned since 2020.
(ds)
