Over 600,000 Routers in the U.S. Taken Down by Mysterious Cyber Attack

Over 600,000 small office/home office (SOHO) routers in the U.S. were rendered inoperable in a cyber attack carried out by unknown attackers, disrupting internet access for many users. This significant event, which occurred between October 25 and 27, 2023, was dubbed "Pumpkin Eclipse" by the Lumen Technologies Black Lotus Labs team. The attack targeted three specific router models—ActionTec T3200, ActionTec T3260, and Sagemcom—provided by an undisclosed internet service provider (ISP).

During the 72-hour attack period, the compromised routers were permanently damaged, necessitating hardware replacements. This incident resulted in the loss of 49% of all modems associated with the ISP's autonomous system number (ASN). While the ISP's identity was not officially confirmed, Windstream is suspected due to a corresponding outage and user reports of affected modems displaying a "steady red light."

Lumen's subsequent investigation identified the commodity remote access trojan (RAT) called Chalubo as the culprit behind the attack. Chalubo, first noted by Sophos in October 2018, is known for its ability to target a variety of SOHO/IoT kernels, perform DDoS attacks, and execute Lua scripts. It appears the attackers used Chalubo to complicate attribution, rather than employing a custom tool. The exact method used to gain initial access to the routers remains unclear, though it may have involved weak credentials or exposed administrative interfaces.

Once access was secured, the malware deployed shell scripts to download and launch Chalubo from an external server, including a destructive Lua script module. This campaign's focus on a single ASN is unusual, as most attacks target specific router models or common vulnerabilities, suggesting a deliberate and specific target, though the attackers' motivations remain unknown.

Lumen highlighted the unprecedented scale of this attack, noting that no previous incidents have necessitated the replacement of over 600,000 devices. A comparable event was the AcidRain attack, which preceded an active military invasion, underlining the severity and unique nature of the Pumpkin Eclipse incident.