Thousands of Asus routers have been compromised, falling under the control of a suspected state-sponsored group from China. This recent wave of hacking has primarily targeted seven specific models of Asus routers, all of which no longer receive security updates from the manufacturer, according to researchers at SecurityScorecard. The operation, dubbed WrtHug, has raised concerns due to the ambiguity surrounding the attackers’ intentions following the mass compromise.
The compromised devices appear to function similarly to those in Operational Relay Box (ORB) networks, which cybercriminals exploit for espionage purposes. Researchers suggest that the depth of access gained by this threat actor could allow them to manipulate the compromised routers as they wish. The patterns observed in previous ORB operations indicate a focus on covert activities rather than more overt malicious actions, such as distributed denial-of-service (DDoS) attacks, typically associated with botnets.
Geographically, the majority of compromised routers are located in Taiwan, with additional clusters identified in South Korea, Japan, Hong Kong, Russia, central Europe, and the United States. This global distribution underscores the widespread impact of the compromise.
Historical context shows that the Chinese government has a track record of constructing extensive ORB networks. In 2021, a significant attack campaign linked to the Advanced Persistent Threat group APT31 utilized hacked routers for reconnaissance, leading to warnings for businesses and organizations in France. Similarly, at least three additional campaigns attributed to Chinese state actors emerged in the previous year.
While Russian state-sponsored hackers have engaged in analogous operations, they have not done so as frequently. In 2018, Kremlin-affiliated actors infected over 500,000 small office and home routers with sophisticated malware known as VPNFilter, showcasing a methodical approach to network infiltration.
In understanding the tactics employed in this latest incident, the MITRE ATT&CK framework may offer valuable insights. Techniques associated with initial access, such as exploitation of vulnerabilities in unsupported devices, likely facilitated the compromise. Following initial access, the attackers might have established persistence through backdoor installations, allowing for ongoing control of the networked devices. Additionally, privilege escalation techniques could have been employed to gain greater access to sensitive network resources.
In summary, the mass compromise of Asus routers poses significant risks to cybersecurity, particularly for businesses relying on these devices. As investigations continue, professionals must remain vigilant, considering the potential implications of such breaches on their operations and data security.
