More than 600,000 internet routers belonging to a single internet provider were taken offline during a three-day period in October.
Security analysts from Lumen Technologies’ Black Lotus Labs detailed the attack in research published Thursday. All of the routers were leased by a single internet provider and were rendered permanently inoperable, requiring a hardware-based replacement. Nearly half of all the company’s modems were abruptly taken offline over those three days in October.
“The event was unprecedented due to the number of units affected — no attack that we can recall has required the replacement of over 600,000 devices,” Lumen’s researchers wrote. “In addition, this type of attack has only ever happened once before, with AcidRain used as a precursor to an active military invasion.”
There are two unanswered questions in the report: Which internet provider was attacked and who was responsible?
Which internet provider’s routers were hacked?
Lumen’s report doesn’t name which internet provider the routers belonged to. They traced the attack to two different brands of gateway devices, Sagemcom and ActionTec, which both displayed a static red light. Users on public internet forums described calls with customer service in which they were told the entire unit would need to be replaced.
When Lumen’s researchers cross-referenced these modem and router combo devices with the internet providers who use them, they found one specific provider with a 49% drop in the number of its devices connected to the internet.
“A sizeable portion of this ISP’s service area covers rural or underserved communities,” said Lumen’s researchers. “Places where residents may have lost access to emergency services, farming concerns may have lost critical information from remote monitoring of crops during the harvest, and health care providers cut off from telehealth or patients’ records.”
While the research declined to name the affected internet provider, Reuters reporting found that Windstream was the company in question, citing a comparison of event descriptions in the Lumen report with internet outages on the dates of the attack. A spokesperson for Windstream declined CNET’s request for comment.
Who was responsible for the attack?
Lumen’s researchers concluded that “the event was likely a deliberate action taken by an unattributed malicious cyber actor,” but it didn’t speculate on which actor that might be.
“At this time, we do not have an overlap between this activity and any known nation-state activity clusters,” the report states. “We assess with high confidence that the malicious firmware update was a deliberate act intended to cause an outage, and though we expected to see a number of router make and models affected across the internet, this event was confined to the single ASN.” ASN stands for autonomous system number, which is like an internet provider’s social security number. What was unique about this attack is that it was confined to a single internet provider rather than a specific router model or vulnerability.
The FBI did not immediately respond to CNET’s request for comment.
How to keep your router protected
“Destructive attacks of this nature are highly concerning, especially so in this case,” Lumen’s researchers wrote. In addition to taking you offline for an extended period, Wi-Fi hacks can expose personal information, install malware or redirect your internet traffic. Here are some practical tips to help strengthen your network’s security:
- Create a unique password: This is the lowest of the low-hanging fruit when it comes to Wi-Fi security. Wi-Fi routers come with a default admin name and password, and forgetting to change these credentials is like leaving the front door wide open for hackers. Best practice is to change your password every six months or so and avoid easily guessed passwords or phrases, like names, birthdays or phone numbers. Here’s how to access your router settings to update your Wi-Fi password.
- Turn on the firewall and Wi-Fi encryption: These are typically turned on by default, but it never hurts to double-check that they’re activated. This will help prevent anyone from eavesdropping on the data sent between your router and the devices that connect to it. You can find these settings by logging into your router from its app or website.
- Upgrade to a WPA3 router: WPA3 is the most up-to-date security protocol for routers. That means it’s been certified by the Wi-Fi Alliance with all the latest protections. If you buy a new router, it’s almost certainly going to be WPA3, but some routers rented directly from internet providers may be older. The two specific gateway models listed in Lumen’s report, the ActionTec T3200s and ActionTec T3260s, are both WPA2 certified — not WPA3. If you do rent a WPA2 router from your provider, it’s worth calling them and negotiating for a newer model.