Cyberattack Disables Over 600,000 Internet Routers in Midwest

A cyberattack caused an outage that disabled over 600,000 internet routers across several Midwestern states, according to new research from Black Lotus Labs, the threat research arm of Lumen Technologies.

The investigation did not reveal the specific company targeted, but Reuters has identified the victim as Windstream, an Arkansas-based Internet Service Provider (ISP), by cross-referencing internet outages reported during the same period. Windstream, which serves many rural and underserved communities, declined to comment when contacted.

Black Lotus Labs’ investigation was prompted by numerous complaints on social media and outage detection platforms regarding specific routers, particularly the ActionTec T3200 and ActionTec T3260 models. Users reported that their issues were only resolved when their provider replaced the affected devices.

The malicious firmware package responsible for deleting parts of the operational code on the impacted routers was identified as “Chalubo,” a common remote access trojan. The method by which the firmware reached customers—whether through an unknown exploit, weak credentials, or access to administrative tools—remains unclear. Researchers described the incident as “a deliberate act intended to cause an outage.”

Although some aspects of the attack are still unknown, Black Lotus Labs recommends that organizations secure management devices and avoid basic security vulnerabilities such as default passwords. Consumers are also encouraged to keep their devices up-to-date with regular security updates.