1000’s of Asus routers have been hacked and are under the control of a suspected China-state group that has yet to disclose its intentions for the mass compromise, researchers said.
The hacking spree is either primarily or exclusively targeting seven models of Asus routers, all of which are not any longer supported by the manufacturer, meaning they now not receive security patches, researchers from SecurityScorecard said. To date, it’s unclear what the attackers do after gaining control of the devices. SecurityScorecard has named the operation WrtHug.
Staying off the radar
SecurityScorecard said it suspects the compromised devices are getting used similarly to those present in ORB (operational relay box) networks, which hackers primarily use to conduct espionage to hide their identity.
“Having this level of access may enable the threat actor to make use of any compromised router as they see fit,” SecurityScorecard said. “Our experience with ORB networks suggests compromised devices will commonly be used for covert operations and espionage, unlike DDoS attacks and other varieties of overt malicious activity typically observed from botnets.”
Compromised routers are concentrated in Taiwan, with smaller clusters in South Korea, Japan, Hong Kong, Russia, central Europe, and america.
A heat map of infected devices.
A heat map of infected devices.
The Chinese government has been caught constructing massive ORB networks for years. In 2021, the French government warned national businesses and organizations that the APT31—one in all China’s most energetic threat groups—was behind a large attack campaign that used hacked routers to conduct reconnaissance. Last 12 months, at the very least three similar China-operated campaigns got here to light.
Russian-state hackers have been caught doing the identical thing, although not as often. In 2018, Kremlin actors infected greater than 500,000 small office and residential routers with sophisticated malware tracked as VPNFilter. A Russian government group was also independently involved in an operation reported in one in all the 2024 router hacks linked above.
