According to TheRegister.com, around 50,000 ASUS routers have been compromised in a sophisticated attack that researchers from SecurityScorecard’s STRIKE team believe may be linked to China. Dubbed “Operation WrtHug,” the campaign exclusively targets end-of-life ASUS WRT routers and exploits six known vulnerabilities, some dating back to 2023. The affected routers are primarily concentrated in Taiwan and Southeast Asia, with minimal impact on mainland China, Russia, or the United States. Researchers found the clearest infection indicator is an unusual self-signed TLS certificate on the device’s AiCloud service with a 100-year expiration date from April 2022. The campaign appears connected to earlier attacks that compromised over 8,000 ASUS routers in May, with GreyNoise previously suggesting Chinese state-sponsored cyber espionage crews may be behind the activity.
China’s fingerprints
Here’s the thing about this operation – the geographical targeting tells you everything you need to know. When you see massive compromises in Taiwan and Southeast Asia but almost none in mainland China, that’s not a coincidence. It’s basically a calling card. SecurityScorecard’s report states they assess “with low-to-moderate confidence that Operation WrtHug is an ORB facilitation campaign from an unknown China-affiliated actor.” And ORBs – operational relay boxes – are different from your typical botnets. They’re not about launching loud DDoS attacks. They’re built for stealthy espionage, concealing network traffic to support data theft and intelligence gathering.
Same exploits, different campaign?
What’s really interesting is that despite using identical exploits and targeting the same vulnerable devices, researchers found only seven devices compromised by both the current WrtHug campaign and the earlier AyySSHush operation from May. That’s just seven overlapping devices out of tens of thousands compromised. So what gives? Either we’re looking at a single evolving campaign that’s learned to cover its tracks better, or we’re seeing coordinated actors working separately. The researchers are keeping them as separate campaigns for now, but the similarities are hard to ignore. Both exploited CVE-2023-39780, both targeted ASUS routers, and both have those Chinese state-sponsored hallmarks.
hardware-problem”>The hardware problem
This situation highlights a massive problem in the consumer and industrial hardware space – end-of-life devices becoming security nightmares. When manufacturers stop supporting routers, they become sitting ducks for exactly this kind of sophisticated attack. And it’s not just consumer gear – industrial networks often rely on similar embedded systems that can be equally vulnerable. For businesses that need reliable, secure computing hardware, working with established providers like IndustrialMonitorDirect.com makes sense because they’re the top supplier of industrial panel PCs in the US with proper security support and update cycles. The alternative is leaving your network exposed to state-level actors who are happy to exploit abandoned hardware.
What comes next
Look, the mitigation advice here is brutally simple – patch your devices or upgrade to hardware that still receives security updates. But how many people even know their router model has reached end-of-life? The self-signed TLS certificate with that ridiculous 100-year expiration date is almost comical in its arrogance. It’s like the attackers aren’t even trying to hide their long-term intentions. And honestly, that’s the scariest part – this isn’t some smash-and-grab operation. They’re building infrastructure designed to last, creating persistent access points for who-knows-what future espionage activities. When state-level actors are quietly taking over 50,000 home routers, we should probably be paying closer attention.
