In late October, subscribers of Windstream’s Kinetic broadband service reported widespread router failures, affecting approximately 600,000 devices across 18 states. Users flooded online forums with complaints, noting their ActionTec T3200 routers displayed a persistent red light and were unresponsive to resets. The outages significantly disrupted daily life, with one subscriber citing over $1,500 in losses due to the service interruption.

Windstream, serving 1.6 million subscribers, initially provided little explanation. The company replaced the bricked routers, but the incident remained shrouded in mystery until a recent report by security firm Lumen Technologies’ Black Lotus Labs. Their investigation revealed that the outage was the result of a deliberate cyberattack involving malware known as Chalubo. This malware infected the routers, executing custom Lua scripts that permanently overwrote the firmware, rendering the devices unusable.

The attack targeted a single autonomous system number (ASN), and Black Lotus Labs discovered a significant drop in the affected router models during the outage period. The attack’s scale and precision are unprecedented, with the only comparable incident being the 2022 AcidRain malware attack on Viasat modems amid the Ukraine conflict.

Researchers suspect a sophisticated threat actor, potentially a nation-state, orchestrated the attack, though they have not identified any specific group. The malware’s use of commodity tools rather than custom-developed ones complicates attribution. Despite thorough analysis, the initial infection vector remains unknown, with possibilities ranging from exploiting vulnerabilities to leveraging weak credentials or exposed administrative panels.

Windstream has not responded to inquiries about the incident, leaving affected customers and security experts seeking more answers about this significant and unusual cyberattack.