Massacre of WiFi routers leaves 600,000 American families offline

An unprecedented wiperware campaign was carried out in the US last year, turning 600,000 WiFi routers into e-waste. In just 72 hours, a sizeable portion of a certain service provider’s (ISP’s) customers, mostly in rural communities, were left without access to emergency services.

Researchers are only now starting to piece together the scope of a cyberattack that occurred over a 72-hour period between October 25th and 27th last year. Routers suddenly started dying, and LED indicators displayed only a static red light.

An avalanche of complaints filled online forums, and the customer support centers had the only explanation ­– the entire unit would need to be replaced.

Thousands of small office/home office (SOHO) routers infected with a remote access trojan (RAT) dubbed “Chalubo” were rendered permanently inoperable, requiring a hardware replacement.

“The event was unprecedented due to the number of units affected – no attack that we can recall has required the replacement of over 600,000 devices,” researchers from Lumen Technologies’ Black Lotus Labs said in a report.

The cyberattack was confined to a single ISP's network and affected Sagemcom and ActionTec devices. Public scan data confirmed the sudden and precipitous removal of 49% of all modems from the impacted ISP’s autonomous system number (ASN).

“These reports led us to believe the problem was likely a firmware issue, as most other issues could be resolved through a factory reset,” Lumen said.

The cyberattack affected families in rural and underserved communities. Residents were left without access to emergency services, farmers may have lost critical information from remote monitoring of crops during the harvest, and healthcare providers were cut off from telehealth or patients’ records.

What’s more worrying is that the malware family remained highly active in the following months.

“Based on a 30-day snapshot in October, Lumen identified over 330,000 unique IP addresses that communicated with one of 75 observed C2 nodes for at least two days, indicating a confirmed infection.”

According to researchers, Chalubo malware was not written specifically for destructive actions, it is a commodity tool that hackers may have chosen to obfuscate attribution.

“We assess with high confidence that the malicious firmware update was a deliberate act intended to cause an outage and though we expected to see a number of routers make and models affected across the internet, this event was confined to the single ASN,” they said.

Malware corrupted firmware

Researchers are unsure how blackhats managed to gain the initial access. The affected models did not have commonly known exploits at the time. It’s likely the threat actor abused weak credentials or exploited an exposed administrative interface.

Once inside, attackers downloaded and ran a malicious script named “ger_scrpc,” which allowed all network traffic and downloaded additional executables.

The malware then collects device information such as the MAC address, device ID, type, version, and local IP. It deleted itself from the router and left running processes in the memory that attempted to download the next stage. Chalubo Bot was the main payload.

“The infection mechanism process was done remarkably well,” researchers said. “This newer version does not appear to have any persistence and deletes all traces of itself from the disk.”

Not only did the malware delete any files from the system once they were executed, it also renamed the processes to hamper detection, used encrypted communications with command and control servers, and inserted delays to evade sandbox detection. For added functionality, it was able to run arbitrary Lua scripts.

attack chain

The only mistake researchers observed was that the threat actor used the exact same encryption key and nonce, previously documented in Sophos' report on Chalubo.

Chalubo is capable of running DDoS (distributed denial of service) attacks, but in this case, the malware did not respond to such commands, suggesting the threat actor had other goals.

The malware likely downloaded and decrypted the final stage – the destructive payload – which researchers have not yet been able to recover.

“This campaign resulted in a hardware-based replacement of the affected devices, which likely indicates that the attacker corrupted the firmware on specific models,” researchers concluded. “No attack that we can recall has required the replacement of over 600,000 devices.”

They pointed out that such an attack only occurred once when AcidRain was used as a precursor to an active military invasion. Lumen assesses this was a deliberate disruptive attack.

“At this time, we do not assess this to be the work of a nation-state or state-sponsored entity. In fact, we have not observed any overlap with known destructive activity clusters; particularly those prone to destructive events such as Volt Typhoon or SeaShell Blizzard,” researchers said.

Cybersecurity experts puzzled

Roger Grimes, data-driven defense evangelist at KnowBe4, said he was unaware that something like this had happened in the US before.

“And what would be the motivation for malicious hackers to wipe out hundreds of thousands of unpatched modems? It would not surprise me if the ISP got an extortion notice and either ignored it or failed in negotiating a ransom amount,” Grimes speculated.

“Or maybe the hackers did it just because they could. But why focus on just one set of customers? Something happened for a reason.”

To Grimes, this incident shows the need for an aggressive auto-patching of hardware.

Lumen also advises consumers with SOHO routers to regularly reboot routers, which would remove the malware running in the memory.

“Make sure devices do not rely upon common default passwords,” Lumen said.

Management interfaces should also be properly secured and not accessible via the Internet.