Mysterious Malware Bricks Over 600,000 Windstream Routers, Leaving Customers Disconnected


Windstream Customers Left in the Dark After Massive Router Outage

Last October subscribers to the internet service provider Windstream found themselves suddenly disconnected from the online world. Reports flooded message boards as users discovered their ActionTec T3200 routers had inexplicably stopped working, remaining unresponsive to reboots and all other attempts to revive them.

The incident, which began on October 25 and lasted for several days, affected a significant portion of Windstream's 1.6 million subscribers across 18 states, including Iowa, Alabama, Arkansas, Georgia, and Kentucky. Many customers, who rely on Windstream's Kinetic broadband service as their primary link to the outside world, expressed frustration and blamed the ISP for pushing updates that rendered their devices useless.

"We have 3 kids and both work from home," one subscriber wrote in an online forum. "This has easily cost us $1,500+ in lost business, no tv, WiFi, hours on the phone, etc. So sad that a company can treat customers like this and not care."

After determining that the routers were permanently unusable, Windstream sent replacement devices to affected customers. The event, now referred to as "Pumpkin Eclipse" by Black Lotus Labs, a security firm under Lumen Technologies, has shed new light on the incident.

According to a report published by Black Lotus Labs on Thursday, malware took out more than 600,000 routers connected to a single autonomous system number (ASN) belonging to an unnamed ISP over a 72-hour period beginning on October 25. While the researchers have not identified the ISP, the details they provided closely match those reported by Windstream subscribers during the outage.

Black Lotus Labs believes that an unknown threat actor with equally unknown motivations deliberately targeted the routers using commodity malware known as Chalubo. The malware's built-in feature allowed the actor to execute custom Lua scripts on the infected devices, which researchers suspect were used to download and run code that permanently overwrote the router firmware.

The implications of a single piece of malware severing the connections of 600,000 routers are deeply concerning, particularly given that a sizeable portion of the affected ISP's service area covers rural or underserved communities. The outage may have cut off access to emergency services, disrupted remote monitoring of crops during harvest season, and disconnected health care providers from telehealth or patients' records.

Black Lotus Labs has yet to determine the initial means of infecting the routers, but they suspect the threat actors may have exploited a vulnerability, abused weak credentials, or accessed an exposed administrative panel. The researchers noted that this attack stands out due to the unprecedented number of devices affected and the fact that it was confined to a particular ASN.

As the investigation continues, Windstream has declined to comment on the incident. In the meantime, Black Lotus Labs advises users to install security updates, replace default passwords with strong ones, and regularly reboot their routers to help keep such devices free of malware. The report also includes indicators that people can use to determine if their devices have been targeted or compromised in the attacks.