Massive cyberattack on Windstream home routers

Starting on October 25 last year, an unprecedented incident hit the telecommunications industry. For three consecutive days, Windstream, a US connectivity service provider with approximately 1.6 million subscribers spread across 18 states, received reports of sudden and unexplained failures from its users. More than 600,000 home routers, mostly ActionTec T3200 models, suddenly became unusable, causing economic losses to users who depended on the Internet connection for their work and other essential activities.

Upgrade failure hypotheses and Black Lotus Labs findings

At first, many users suspected that Windstream was to blame, speculating that a failed firmware update was the root cause. Faced with unusable routers, Windstream had to send new devices to affected customers. However, an investigation conducted by Black Lotus Labs, the security division of Lumen Technologies, changed the game. In their report, experts revealed that malware dubbed “Pumpkin Eclipse” was behind the incident. Although the ISP was not explicitly named, many details coincided with reports from Windstream customers, suggesting that the ISP was indeed the target of the attack.

The role of the Chalubo malware and the consequences for users

According to the Black Lotus Labs report, the malware used in the attack was a commercial software called Chalubo, which is known to run custom Lua scripts on infected devices. Attackers exploited this ability to download and execute code that permanently overwrote routers' firmware, rendering them unusable. The impact of this attack was devastating, especially for rural or underserved communities, who lost access to essential services such as health emergencies, critical agricultural operations or telemedicine. Restoring services in these areas was complicated and took longer, underscoring the vulnerability of internet connections in isolated settings.

Hypotheses on the origin of the attack and involvement of states

Researchers have not yet been able to definitively determine the initial infection vectors. However, they rule out the possibility of a faulty firmware update produced by a single vendor, given that the attack involved routers from two different manufacturers and affected only one ISP. One of the most credible hypotheses is that the attackers had access to administration panels exposed on the Internet or protected by weak credentials. While nation-state involvement could not be ruled out, there is no concrete evidence to link the incident to government-sponsored groups. The event remains unique, comparable only to the AcidRain malware attack that affected 10,000 modems of the satellite provider Viasat in 2022 during the Russian invasion of Ukraine. This leaves many questions open about the motives and goals of the cybercriminals responsible for the attack.