Who paralyzed the Internet in the central states and why nothing was known about it for six months.
A large-scale cyberattack almost disabled hundreds of thousands of Internet routers in the central United States at the end of last year. According to a study by Black Lotus Labs, the attackers used simple but extremely effective methods to evade detection. Malicious code continued to spread online even months after the attack, as links to malicious files remained open on the Internet.
Analysts from Lumen Technologies identified the incident in recent months and described it in their blog, labeling it as "Pumpkin Eclipse". The October hack, which was not reported for more than six months, led to the shutdown of more than 600 thousand Internet routers. Independent experts consider this cyberattack to be one of the most serious ever affecting the American telecommunications sector, given the number of disconnected devices and the number of affected users.
The report does not name the affected company, nor does it name the specific country or group that the hack is attributed to. Probably, the attackers were mainly interested in routers of two specific models - T3200 and T3260 from ActionTec.
The routers were disabled by a malicious firmware update that was sent to customers of a certain company and deleted parts of the operating code of the devices after installation. The method of delivery of the update remains unclear.
However, the analysis revealed that the main tool used in the attack was Chalubo, a well-known remote access trojan (RAT). First discovered in 2018, it is extremely adept at masking its activity: it deletes all files from disk, accepts a random process name that already exists on the device, and encrypts all communications with the command server. This explains why very little has been known about the Chalubo malware family until now.
According to Lumen global telemetry, the Chalubo malware was particularly active in November 2023. Over a 30-day period in October, Lumen recorded more than 330,000 unique IP addresses that interacted with one of the 75 monitored command servers for at least two days. It can be assumed that although the Trojan was used in the attack on routers, it was not written specifically for this purpose. Most likely, the attackers chose well-known software to make it more difficult to determine their identity and avoid attribution of the attack, instead of using specially developed tools.
Comparing the details and descriptions of events in the Lumen report with Internet outages on the dates indicated suggests that the target of the attack was the Arkansas-based Internet service provider Windstream. His representative declined to comment on the situation. In addition to user complaints on Reddit, there was practically no public information about the incident in social networks. Probably, Windstream deliberately did not disclose information about hacking – private companies often prefer to keep major incidents secret.
The FBI, the NSA and the US Department of Homeland Security did not confirm this information, redirecting all requests to the FBI. It is possible that an investigation is underway, but the details were not disclosed.
The researchers described the potential consequences of the attack as extremely serious: "The coverage area includes many rural areas and low-income settlements. Their residents could lose contact with emergency services, agricultural enterprises-control over the harvest process, and doctors-access to telemedicine services and patient data."
In October, Reddit users reported that their routers could not connect to an Internet service provider, which completely lost access to the network. According to them, Windstream then demanded to return the failed devices for replacement with new ones, since it was apparently impossible to restore them remotely.
A large-scale cyberattack almost disabled hundreds of thousands of Internet routers in the central United States at the end of last year. According to a study by Black Lotus Labs, the attackers used simple but extremely effective methods to evade detection. Malicious code continued to spread online even months after the attack, as links to malicious files remained open on the Internet.
Analysts from Lumen Technologies identified the incident in recent months and described it in their blog, labeling it as "Pumpkin Eclipse". The October hack, which was not reported for more than six months, led to the shutdown of more than 600 thousand Internet routers. Independent experts consider this cyberattack to be one of the most serious ever affecting the American telecommunications sector, given the number of disconnected devices and the number of affected users.
The report does not name the affected company, nor does it name the specific country or group that the hack is attributed to. Probably, the attackers were mainly interested in routers of two specific models - T3200 and T3260 from ActionTec.
The routers were disabled by a malicious firmware update that was sent to customers of a certain company and deleted parts of the operating code of the devices after installation. The method of delivery of the update remains unclear.
However, the analysis revealed that the main tool used in the attack was Chalubo, a well-known remote access trojan (RAT). First discovered in 2018, it is extremely adept at masking its activity: it deletes all files from disk, accepts a random process name that already exists on the device, and encrypts all communications with the command server. This explains why very little has been known about the Chalubo malware family until now.
According to Lumen global telemetry, the Chalubo malware was particularly active in November 2023. Over a 30-day period in October, Lumen recorded more than 330,000 unique IP addresses that interacted with one of the 75 monitored command servers for at least two days. It can be assumed that although the Trojan was used in the attack on routers, it was not written specifically for this purpose. Most likely, the attackers chose well-known software to make it more difficult to determine their identity and avoid attribution of the attack, instead of using specially developed tools.
Comparing the details and descriptions of events in the Lumen report with Internet outages on the dates indicated suggests that the target of the attack was the Arkansas-based Internet service provider Windstream. His representative declined to comment on the situation. In addition to user complaints on Reddit, there was practically no public information about the incident in social networks. Probably, Windstream deliberately did not disclose information about hacking – private companies often prefer to keep major incidents secret.
The FBI, the NSA and the US Department of Homeland Security did not confirm this information, redirecting all requests to the FBI. It is possible that an investigation is underway, but the details were not disclosed.
The researchers described the potential consequences of the attack as extremely serious: "The coverage area includes many rural areas and low-income settlements. Their residents could lose contact with emergency services, agricultural enterprises-control over the harvest process, and doctors-access to telemedicine services and patient data."
In October, Reddit users reported that their routers could not connect to an Internet service provider, which completely lost access to the network. According to them, Windstream then demanded to return the failed devices for replacement with new ones, since it was apparently impossible to restore them remotely.
