Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaign
Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
Thousands of ASUS routers around the world have been hijacked in a sophisticated campaign believed to be backed by China.
According to SecurityScorecard’s Strike threat intelligence team, the WrtHug campaign leverages the proprietary AiCloud service with Nth day vulnerabilities in order to gain high privileges on end-of-life ASUS WRT routers.
The pattern of attacks and the severity of the vulnerabilities indicate potential command injection capabilities, if not root-level privileges, researchers warned.
“Operation WrtHug is a case study in how nation-state actors are embedding themselves in consumer infrastructure to build stealthy, resilient, global espionage networks,” said Gilad Maizles, security researcher at SecurityScorecard.
“The deliberate targeting of end-of-life ASUS devices by compromising proprietary applications and services such as AiCloud, reflect growing strategic interest in SOHO devices. This shows us the willingness of threat actors to specialize in targeting them as reliable staging points.”
The campaign currently appears to be affecting around 50,000 compromised devices around the world, particularly in Taiwan, the US, and Russia, with more victims in some other Southeast Asian and European countries.
All the hijacked routers share a unique, self-signed TLS certificate with a 100-year expiration date - unusually long, researchers noted, and a critical indicator of compromise that points to a level of coordination reflecting careful and calculated espionage.
It was this certificate that first alerted the team to the campaign.
Six flaws underpin the ASUS espionage campaign
The attackers have been leveraging six distinct vulnerabilities for the campaign.
CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, and CVE-2023-41348, all nearly two years old, enable attackers to perform direct OS command injection on ASUS WRT devices using insufficient filtering related to token modules. They're associated with the command injection vulnerability CVE-2023-39780.
Meanwhile, CVE-2024-12912 is an arbitrary command execution vulnerability and CVE-2025-2492 is an improper authentication control vulnerability that can lead to unauthorized function execution via a crafted request.
All are known and have officially been patched - which is why it's mostly end-of-life devices being targeted.
According to researchers, the targeted devices, methods, and timing mirror previous intrusion campaigns that have been linked to China - the LapDogs ORB, for example, recently uncovered by the Strike team.
Some of the vulnerabilities are tied to another ongoing suspected China-linked ORB operation known as AyySSHush, reported to be targeting ASUS devices earlier this year.
The team said it spotted seven IPs with signs of compromise in both Operation WrtHug and AyySSHush, suggesting either a single, evolving campaign or coordination between the two groups.
"These campaigns have demonstrated a clear evolution in attacker methodology. Persistent, resourced hackers are moving beyond simple brute-force attacks to multi-stage infections that exploit a variety of vulnerabilities," said the team.
"By chaining command injections and authentication bypasses, threat actors have managed to deploy persistent backdoors via SSH, often abusing legitimate router features to ensure their presence survives reboots or firmware updates."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Mistral CEO Arthur Mensch thinks 50% of SaaS solutions could be supplanted by AINews Mensch’s comments come amidst rising concerns about the impact of AI on traditional software
-
Westcon-Comstor and UiPath forge closer ties in EU growth driveNews The duo have announced a new pan-European distribution deal to drive services-led AI automation growth
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacksNews Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affectedNews Hackers remained undetected for months and distributed malicious updates to Notepad++ users after breaching the text editor software – here's how to check if you've been affected.
-
CISA’s interim chief uploaded sensitive documents to a public version of ChatGPT – security experts explain why you should never do thatNews The incident at CISA raises yet more concerns about the rise of ‘shadow AI’ and data protection risks
-
Former Google engineer convicted of economic espionage after stealing thousands of secret AI, supercomputing documentsNews Linwei Ding told Chinese investors he could build a world-class supercomputer
-
90% of companies are woefully unprepared for quantum security threats – analysts say they need to get a move onNews Quantum security threats are coming, but a Bain & Company survey shows systems aren't yet in place to prevent widespread chaos
-
LastPass issues alert as customers targeted in new phishing campaignNews LastPass has urged customers to be on the alert for phishing emails amidst an ongoing scam campaign that encourages users to backup vaults.
