Infrastructure Zombies — Backwater Forensics
BACKWATER FORENSICS
VRF#26-04-TPWXX · INFRA-PATCH-MAPPING
Research Series — Infrastructure Security

Infrastructure Zombies:
When Carrier Acquisitions Leave the Door Open

When one telecommunications carrier acquires another, the acquired infrastructure — physical plant, IP space, routing tables, DNS authority — is supposed to be integrated or decommissioned. In practice, the integration is frequently incomplete. What remains is a persistent boundary condition: legacy infrastructure still operating under the acquiring carrier’s name, but never fully migrated, patched, or shut down. We call these infrastructure zombies. This is the story of finding them — at national scale.

3,269 ZIP Vulnerability Records
45 States Covered
6 Acquisition Cases
17 days Disclosure → Remediation

THE JOURNEY — JAN 1 TO MAY 29, 2026

What began as a documented response to observed network anomalies at a single residential location in Northeast Georgia evolved into a national infrastructure survey over five months. The investigation crossed from device-layer forensics into BGP routing tables, ARIN records, physical plant maps, and federal disclosure channels.

The timeline below documents every significant milestone: filings to CISA, FBI, and IC3; ground confirmations; database construction; zombie ASN discovery; and — critically — the confirmed remediation event on May 19, 2026, when four anomalous BGP routes changed state simultaneously, 17 days after the FBI disclosure.

Investigation timeline January through May 2026
FIG 1 — INFRA-PATCH-MAPPING INVESTIGATION TIMELINE · JAN 1 – MAY 29, 2026 · VRF#26-04-TPWXX
REMEDIATION CONFIRMED — 2026-05-19: Four ASNs under active monitoring changed state simultaneously. AS7015 went dark (decommissioning), AS7046 was reclaimed, AS702 and AS8069 normalized. Interval from FBI 5.2 filing to observed remediation: 17 days. Correlated with INTERPOL Operation Ramz (Team Cymru intelligence partner).

NATIONAL VULNERABILITY SURVEY

The national database was built from public carrier acquisition records — SEC merger documents, FCC franchise transfer filings, and ARIN/RDAP attribution — before any validation data was collected. Case selection was a priori: six acquisition cases were chosen based on publicly documented carrier histories, not based on what the data would show. States with zero records reflect the geographic footprint of those six cases, not filtering.

Every record represents a ZIP code that falls within a predicted carrier acquisition boundary — a location where, by methodology, the subscriber’s broadband infrastructure may be operating at the seam between pre- and post-acquisition plant.

National vulnerability survey — ZIP records by state and acquisition case
FIG 2 — NATIONAL ZIP VULNERABILITY RECORDS BY STATE AND ACQUISITION CASE · 3,269 RECORDS · 45 STATES
Methodology note: Zero-result states (AK, DE, MA, RI, VT, WY, and others) reflect the geographic footprint of the six included acquisition cases — not absent findings. No post-hoc filtering was applied. Numbering gaps in case IDs (CASE-002, 006, 008, 009) are reserved slots from the original case selection framework.

ZOMBIE ASN CONDITIONS — OVERVIEW

A zombie ASN is a pre-acquisition Autonomous System Number that is still announcing IP prefixes in live global routing tables after the acquiring carrier should have assumed or decommissioned that routing authority. A zombie means the IP space is being routed by an entity that, by acquisition records, should no longer exist as an independent network — creating an unaccountable gap between who the public record says controls that IP space and who is actually routing it.

Beyond simple zombies, this investigation documented more complex conditions: retention anomalies (pre-acquisition ASNs kept active by the acquirer in parallel with the successor ASN), third-party control (routing authority held by an unknown external party), and what appear to be law enforcement sinkhole ASNs — legacy routing infrastructure repurposed for network monitoring.

The full ASN registry has been disclosed to CISA, the FBI, and CERT. The methodology is documented here — researchers are welcome to replicate it.

Actor-agnostic framing: All infrastructure findings document conditions, not actors. Carriers are responsible for their routing infrastructure. Government agencies (CISA, FBI) are responsible for investigating any exploitation of these conditions. This framing is intentional, consistent, and legally defensible throughout the investigation.

FIVE-TIER CONFIDENCE MODEL

Not all findings are equal. A record inferred from acquisition geography carries less evidentiary weight than one confirmed by physical observation. The investigation uses a five-tier confidence ladder to distinguish what the methodology predicts from what has been directly observed. Confidence upgrades require independent corroboration — they are not self-assigned.

I
Inferred

Methodology predicts a SEAM zone from acquisition geography. Conditions not yet directly observed.

D
Digital Recon

Passive OSINT, satellite imagery, and zone indicators confirm boundary conditions exist.

R
Remote Forensic

PCAP captures, zombie BGP routing state, and ARIN confirm via forensic-grade remote methods.

G
Ground Confirmed

Physical plant conditions confirmed on-site. Digital or near-target observation.

A
Active Exploit

Confirmed by victim, law enforcement, ISP, or documented legal action.

DISCLOSURE RECORD

All findings were disclosed to carriers and government agencies through established responsible disclosure channels before any public publication. The goal is infrastructure remediation — not exposure. Carriers are given the opportunity to address conditions before they appear in public reporting.

Date Filed To Subject Status
2026-01-03 FBI Initial device compromise report (VRF#26-01-PDLPQ) FILED
2026-01-11 CISA Cyber incident report #1 — device/C2 track FILED
2026-02-02 CISA Supplemental filing #2 — device/C2 track FILED
2026-02-24 IC3 Complaint — device compromise and C2 beacon FILED
2026-04-06 Spectrum/Charter HFC dual-plant patchover infrastructure vulnerability (Track 1) FILED — NO RESPONSE
2026-04-11 Spectrum/Charter Winterville node — physical plant access conditions FILED — NO RESPONSE
2026-04-16 CISA New standalone report — HFC patchover vulnerability (VRF#26-04-TPWXX) FILED
2026-05-02 FBI (5.2) Actionable zombie ASN findings — BGP infrastructure layer FILED
2026-05-02 CISA Supplemental — BGP zombie ASN routing findings + statistical analysis FILED
Statistical significance: The probability that all documented infrastructure findings are coincidental is P = 1.73×10⁻¹⁸ — approximately 1 in 578 quadrillion. This statistical analysis was filed with CISA on 2026-05-03 as a formal attachment.