Unknown Threat Actor Bricks 600,000 Routers Using Chalubo Malware

Cyber Attack

More than 600,000 small office/home office (SOHO) routers belonging to a single ISP were rendered inoperable in a destructive event, according to a report by Lumen Technologies. The impacted router models, ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380s, were confined to the ISP’s autonomous system number (ASN) and were likely infected with Chalubo, a remote access trojan (RAT) that ensnares devices into a botnet.

The incident occurred over 72 hours from October 25 to October 27, 2023, and resulted in roughly 49% of the affected ASNs' modems being taken offline. The affected devices had to be physically replaced. Overall, approximately 179,000 ActionTec and 480,000 Sagemcom routers were potentially bricked.

Lumen assessed with high confidence that the malicious firmware update was a deliberate act intended to cause an outage. Despite expectations of a broader impact across various router models on the internet, the event was confined to a single ASN.

The threat actor responsible likely chose Chalubo to deploy the malicious firmware to obfuscate attribution. No evidence has been found linking this incident to known nation-state actors like Volt Typhoon.

Chalubo, discovered in 2018, is a malware that creates a botnet capable of launching distributed denial-of-service (DDoS) attacks and executing Lua scripts on infected devices. The trojan resides in memory, making it difficult to detect.

Lumen identified hundreds of thousands of Chalubo bots worldwide, each interacting with one of the multiple malware panels the botnet operator used between September and November 2023. Most infections are in the US. Only one panel was used during the disruptive attack, and not all Chalubo infections participated, suggesting the panel might have been purchased to hinder attribution.

"This indicates that while the Chalubo malware was used in this destructive attack, it was not designed specifically for destructive purposes. We suspect the threat actors chose a commodity malware family to obscure their identity instead of using a custom-developed toolkit," Lumen stated.