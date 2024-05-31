More than 600,000 internet routers belonging to a single internet provider were taken offline during a three-day period in October.

Security analysts from Lumen Technologies' Black Lotus Labs detailed the attack in research published Thursday. All of the routers were leased by a single internet provider and were rendered permanently inoperable, requiring a hardware-based replacement. Nearly half of all the company’s modems were abruptly taken offline over those three days in October.

“The event was unprecedented due to the number of units affected -- no attack that we can recall has required the replacement of over 600,000 devices,” Lumen’s researchers wrote. “In addition, this type of attack has only ever happened once before, with AcidRain used as a precursor to an active military invasion.”

Locating local internet providers

There are two unanswered questions in the report: Which internet provider was attacked and who was responsible?

Which internet provider’s routers were hacked?

Lumen’s report doesn’t name which internet provider the routers belonged to. They traced the attack to two different brands of gateway devices, Sagemcom and ActionTec, which both displayed a static red light. Users on public internet forums described calls with customer service in which they were told the entire unit would need to be replaced.

When Lumen’s researchers cross-referenced these modem and router combo devices with the internet providers who use them, they found one specific provider with a 49% drop in the number of its devices connected to the internet.

A single internet provider saw a decrease of roughly 49% in the number of devices connected to the internet over three days in October. Lumen Technologies' Black Lotus Labs

“A sizeable portion of this ISP’s service area covers rural or underserved communities,” said Lumen’s researchers. “Places where residents may have lost access to emergency services, farming concerns may have lost critical information from remote monitoring of crops during the harvest, and health care providers cut off from telehealth or patients’ records.”

While the research declined to name the affected internet provider, Reuters reporting found that Windstream was the company in question, citing a comparison of event descriptions in the Lumen report with internet outages on the dates of the attack. A spokesperson for Windstream declined CNET’s request for comment.

Who was responsible for the attack?

Lumen’s researchers concluded that “the event was likely a deliberate action taken by an unattributed malicious cyber actor,” but it didn’t speculate on which actor that might be.

“At this time, we do not have an overlap between this activity and any known nation-state activity clusters,” the report states. “We assess with high confidence that the malicious firmware update was a deliberate act intended to cause an outage, and though we expected to see a number of router make and models affected across the internet, this event was confined to the single ASN.” ASN stands for autonomous system number, which is like an internet provider’s social security number. What was unique about this attack is that it was confined to a single internet provider rather than a specific router model or vulnerability.

The FBI did not immediately respond to CNET’s request for comment.

How to keep your router protected

“Destructive attacks of this nature are highly concerning, especially so in this case,” Lumen’s researchers wrote. In addition to taking you offline for an extended period, Wi-Fi hacks can expose personal information, install malware or redirect your internet traffic. Here are some practical tips to help strengthen your network’s security: