Adrian Johnson
TLDR:
- Over 600,000 routers in the U.S. were taken offline in a mysterious cyber attack.
- The attack, known as Pumpkin Eclipse, targeted small office/home office routers issued by a single ISP.
In a destructive cyber attack that occurred between October 25 and 27, 2023, over 600,000 small office/home office (SOHO) routers in the U.S. were rendered inoperable, disrupting users’ internet access. The attack, codenamed Pumpkin Eclipse by the Lumen Technologies Black Lotus Labs team, specifically targeted three router models issued by a single internet service provider (ISP) in the U.S. The incident led to the abrupt removal of 49% of all modems from the impacted ISP’s network during the attack period and required hardware-based replacements for the affected devices. The malware responsible for the attack, a commodity remote access trojan (RAT) called Chalubo, was first documented by Sophos in October 2018 and is known for its stealthy capabilities. Despite the large-scale impact of the attack, the exact method used to breach the routers remains unclear. It is suspected that the attack may have involved the abuse of weak credentials or exploited exposed administrative interfaces. One notable aspect of the attack is its targeting of a single autonomous system number (ASN), raising questions about the motivations behind the attack. The attack, which required the replacement of over 600,000 devices, is considered unprecedented in scale and complexity.
