At the end of May, Lumen Technologies’ Black Lotus Labs identified a new destructive event, when more than 600,000 small office/home office (SOHO) routers were taken offline.
The ActionTec routers belonged to a single unidentified internet service provider (ISP), and the attack devastated the hardware, putting them permanently out of service.
This type of attack, where malware is used to literally break hardware, is not only difficult to execute but becoming extremely rare — why break things when you can steal money and data instead?
Lumens said the attack was similar to the “AcidRain” attack of February 24, 2022. AcidRain targeted Viasat KA-SAT modems in Ukraine on the eve of the Russian ground invasion.
Who Broke Over Half a Million American Routers and Why?
Most of the experts Techopedia talked to said the attack that destroyed hundreds of thousands of routers in the U.S. is probably linked to a nation-state cybercriminal group.
Ryan English, Information Security Engineer at Lumen Technologies, told Techopedia that while Lumen doesn’t have enough information to provide attribution or motive, nation-state threat actors are one of three possibilities they are currently looking into.
Other possibilities include an inside threat (which would require advanced technical knowledge) or an up-and-coming threat group looking to make a name for itself (no one has claimed attribution).
Ryan from Lumen added that a nation-state level actor could have used this attack as a Proof of Concept — hitting a small-sized ISP that operates far away from any major population centers first to avoid drawing too much attention.
Curtis Blount, CSO of InsightCyber, an AI-driven cybersecurity platform, also spoke to Techopedia.
“This is often with the idea of destabilization. A random hacker or hacker group would not be interested in this type of attack as there is no monetary value.
“In most cases, this would be a nation-state attack as part of a first phase to disrupt “C&C” — Command and Communications.
“This was most likely a test.”
If This Was a Test, Then What is The Real Target?
If experts are correct and the attack on routers is just a pilot project, we cannot help but ask what the test is for, especially considering today’s global geopolitical landscape, international tensions in cyberspace, and conflicts.
Stiv Kupchak, Cyber Security Research Team Lead at Akamai, spoke to Techopedia and suggested:
“With nation-state groups that have more resources at their disposal, I believe they’ll try to target critical national infrastructure.”
Small-scale cyberattack tests on the U.S. against critical infrastructure may already be a reality. For example, late last year, the small town of Aliquippa in Pennsylvania saw its water system compromised after a hack linked to Iran. Similarly, numerous health and emergency providers have been targeted in the past months, causing similar disruptions at small scale.
Kupchak from Akamai warned that when it comes to cybercriminals and cyberwarfare escalations via ransomware-as-a-service (RaaS) nothing can be ruled out.
“Since there’s a plethora of RaaS nowadays, it’s not necessarily what a nation-state would do in an escalating conflict. More serious targeting of critical infrastructure like water or power supply, government sites, and even hospitals, that affects not just the IT side but the OT side are harder to recover.”
Hackers Can Break Almost Anything — So What Will They Go For?
The cybercriminal underground has shifted from less physically damaging malware to more malleable malware that better fits their operations.
A couple of decades ago, viruses were the main online threat, and malware often destroyed software and operating systems, leaving inoperable hardware.
Cybercriminals soon realized that breaking stuff was not a good tactic, especially if they were seeking money or secret data.
So information stealers, ransomware, spyware, and other types of malware became the norm, as they served bad actors best.
So it’s a re-emergence of old tactics to see black hat hackers once again breaking real-world tools.
But if killware or Cyber-Physical Attacks (CPA) were to become the next big thing, what else could they break? Ryan from Lumen suggested:
“Just about anything they can reach!”
While Ryan recognized these events are rare and used for limited, strategic purposes, he warned that ‘end of life’ networking devices exposed to the internet, make an enterprise as vulnerable as leaving the windows open and the doors unlocked.
Kupchak from Akamai agreed and said hackers can break “basically anything”.
“A dedicated enough attacker can achieve the same level of access as any user in the network and do whatever they want – from shutting down critical servers or machines to corrupting them beyond recovery.”
Kupchak added these attacks are incredibly sophisticated and hard to execute but they do give security teams lots of opportunities to detect them before real damage is done.
Nick Hyatt, Director of Threat Intelligence at Blackpoint Cyber — a company that combines MDR+R tech with a human-powered security operations center (SOC) — spoke to Techopedia about what group would run this type of attack and why.
“State-sponsored groups could deploy an attack like this as a precursor to an invasion to disable opposition infrastructure before any kinetic activity takes place.”
Blount from InsightCyber said that attacks like this are a warning sign.
“It shows just how vulnerable our commercial sectors are to an attack of this kind. We need to be prepared.”
“It’s pretty clear the next world war is not fought with boots on the ground, rather it’s cyber and attacks on infrastructure, data storage, and cloud which can cripple any country and their economy.”
The Most Iconic Killware Attacks in History
While some define the term ‘killware’ as malware designed to cause physical damage and even death, others prefer its broader definition. The broad definition of killware is a type of cyberattack designed with the intention of causing real-life threats to people and communities.
These attacks target operational technology (OT), the hardware and machines connected to IT environments that are used in different industries. Critical infrastructure, health, government, defence, water, sanitation, and others, top the list of sectors most targeted by killware.
The term killware may be relatively new, but the concept is not. Kupchak from Akamai said that the most iconic attack that meets these definitions is probably Stuxnet, which ruined the centrifuges of Iran’s nuclear plant. Stuxnet is a computer worm believed to operate from 2005 until 2010 and was called ‘the first cyberweapon’. Kupchak explained what damage Stuxnet inflicted on Iran’s nuclear plant.
“The Stuxnet operators achieved physical hardware breakage – they targeted the devices responsible for the centrifuges and caused the centrifuges to spin faster than they were designed for, causing them to tear apart.”
The Bottom Line: The Real World is Vulnerable
Blount from InsightCyber added that there have been several attacks of this nature over the past decade or so. These include AcidRain, Volt Typhoon, SeaShell Blizzard, and NotPetya in 2018. But Blount’s thoughts of a worst-case scenario and the possibilities of these attacks were frightening.
“Imagine if the social media campaign also included attacks on our Internet Infrastructure, knocking out electricity, phone services, banking, commerce, etc,” Blount said. “It doesn’t take much to induce panic along with disinformation.
“Seems like a movie plot. However, this is a real-world condition that could happen. The bottom line is that attacks are going to happen.”