A Chinese-controlled hacking group has hacked more than 50,000 Asus home and office routers around the world and turned them into a hidden infrastructure for cyberespionage, with routers in Ukraine among the infected devices.
A Chinese-controlled hacking group has hacked more than 50,000 Asus home and office routers around the world and turned them into a hidden infrastructure for cyberespionage, with routers in Ukraine among the infected devices.
This is reported by Ars Technica with reference toresearch by the company SecurityScorecard, which gave the campaign the name Operation WrtHug. The attack mainly affected seven Asus models, which the manufacturer recognized as outdated and no longer provides security updates. It was the lack of patches for known vulnerabilities, including those discovered back in 2023, that allowed attackers to massively seize control of such devices.
Researchers compare infected routers with so-called ORB (Operational Relay Box) networks — an extensive system of proxy nodes through which hackers «drive» their traffic, masking the true source of attacks. On the map of infections, the largest clusters are visible in Taiwan and Southeast Asian countries, smaller ones in the USA and Europe.
Ukrainian targets are also clearly visible: infected routers in large cities such as Kyiv, Lviv, Vinnytsia, and Odessa, as well as in the temporarily occupied Crimean peninsula, are marked. The authors of the study do not disclose the exact number of devices in each region, but emphasize that they are part of a general network of over 50,000 compromised routers worldwide.
The peculiarity of this operation is maximum «silence». Unlike classic botnets that launch loud DDoS attacks, this network is mostly hidden or used for delicate espionage operations against government agencies and critical infrastructure. Technical analysis showed that malware is installed on compromised routers, which adds a self-signed TLS certificate with a validity period until 2122 and fields such as CN=a, OU=a, O=a, which is atypical for legitimate certificates.
ASUS no longer supports these models, so owners of such devices have virtually no options other than to completely replace them with new routers with up-to-date firmware. Compromise can be determined by the presence of a suspicious certificate — instructions for finding it are published on the manufacturer’s website, and SecurityScorecard additionally described the technical signs of a hack.
Experts remind that this is not the first time that Chinese structures have built ORB networks based on hacked routers: similar campaigns have been reported before, in particular, regarding APT31, which is linked to Chinese intelligence.
dev.ua previously reported that the U.S. government is considering a complete ban on TP-Link routers after more than a year of intense scrutiny by multiple agencies. The ban is being proposed by the Department of Commerce with support from the Departments of Justice, Defense, Homeland Security, and others. The White House is concerned about national security due to TP-Link’s close ties to China.
