Hundreds of thousands of US internet routers destroyed in newly discovered 2023 hack

By Christopher Bing

WASHINGTON (Reuters) - - An unidentified hacking group launched a massive cyberattack on a telecommunications company in the U.S. heartland late last year that disabled hundreds of thousands of internet routers, according to research published Thursday.

Security analysts with Lumen Technologies' Black Lotus Labs discovered the attack in recent months and reported on it in a blog post.

The October incident, which was not disclosed at the time, took more than 600,000 internet routers offline. Independent experts said it appeared to be one of the most serious cyberattacks ever against America’s telecommunications sector.

The researchers said the hackers installed malicious software that disrupted internet access from Oct. 25 to 27 across numerous Midwest states. The analysts found the malware, which continued circulating, on the internet months later through certain file links that the hackers left visible.

The report did not name the company that was attacked. Nor did Lumen attribute the hack to a particular country or known group. The researchers said the saboteurs used common methods which made them harder to identify.

The internet routers were disabled when a malicious firmware update sent to the company's customers deleted elements of the routers’ operational code, making them effectively inoperable. Exactly how the firmware update was shipped to users was unclear.

“We assess with high confidence that the malicious firmware update was a deliberate act intended to cause an outage,” Lumen's report said. “Destructive attacks of this nature are highly concerning, especially so in this case."

A comparison of details and event descriptions in the Lumen report with internet outages on the dates of the attack pointed to one entity: Arkansas-based internet service provider Windstream.

A spokesperson for Windstream declined to comment as did the FBI. The National Security Agency and Homeland Security Department referred inquiries to the FBI.

The researchers described the potential consequences from the attack as serious.

"A sizeable portion of this ISP’s service area covers rural or underserved communities; places where residents may have lost access to emergency services, farming concerns may have lost critical information from remote monitoring of crops during the harvest, and health care providers cut off from telehealth or patients’ records,” the researchers wrote.

There are few public signs of the incident. On the social media platform Reddit, self-identified Windstream customers posted complaints about a strange outage beginning around Oct. 25, the date noted by Lumen.

The Reddit users described how their routers would not connect to their internet provider so they could not access the internet. The users said Windstream was requiring them to return their disabled routers for new devices because a remote fix did not seem possible.

It was not clear if the FBI, which is in charge of investigating U.S. cybercrimes, was notified of the hack. But private companies often elect not to disclose such incidents.

(Reporting by Christopher Bing; Editing by Cynthia Osterman)