Thousands of expired ASUS routers (models like **4G-AC55U, GT-AX11000, RT-AC1300UHP**, etc.) were hijacked by **Chinese state-sponsored actors** into a botnet named **'Operation WrtHug'**, exploiting **n-day vulnerabilities (CVE-2023-41345, CVE-2024-12912, etc.)**. The attackers deployed a **self-signed 100-year TLS certificate** to mask their espionage traffic, turning compromised routers into a **globally distributed relay network** for cyber-espionage. The majority of affected devices were in **Taiwan and Southeast Asia**, aligning with geopolitical targeting interests. The botnet enabled hidden C2 infrastructure, resilient attack staging, and intrusions against high-value targets, posing risks to **national security, critical communications, and geopolitical stability**. No direct financial or customer data breaches were reported, but the campaign facilitated **large-scale covert surveillance and potential future attacks** on strategic entities.
ASUS cybersecurity rating report: https://www.rankiteo.com/company/asus
"id": "ASU1192111111925",
"linkid": "asus",
"type": "Cyber Attack",
"date": "6/2023",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': 'thousands (router owners)',
'industry': 'consumer electronics/networking',
'location': 'Taiwan',
'name': 'ASUS',
'type': 'technology manufacturer'},
{'location': ['Taiwan', 'Southeast Asia'],
'name': 'Router owners (individuals/organizations)',
'type': ['individuals',
'businesses',
'government entities']}],
'attack_vector': ['exploitation of n-day vulnerabilities',
'end-of-life (EOL) device targeting',
'self-signed TLS certificate abuse (100-year validity)'],
'customer_advisories': ['ASUS likely issued advisories for affected router '
'models (4G-AC55U, 4G-AC860U, DSL-AC68U, GT-AC5300, '
'GT-AX11000, RT-AC1200HP, RT-AC1300GPLUS, '
'RT-AC1300UHP)'],
'data_breach': {'data_encryption': ['self-signed TLS certificate (100-year '
'validity) deployed on routers']},
'description': 'Thousands of expired ASUS routers are being hijacked and '
"assimilated into a botnet ('Operation WrtHug') used as "
'infrastructure for cyber-espionage operations. Chinese '
'state-sponsored actors exploited multiple n-day '
'vulnerabilities (CVE-2023-41345, CVE-2023-41346, '
'CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, '
'CVE-2025-2492) to deploy a self-signed TLS certificate with a '
'100-year expiration date. The compromised routers form a '
'relay network, primarily in Taiwan and Southeast Asia, '
'enabling espionage traffic routing, origin obfuscation, and '
'resilient C2 infrastructure for attacks against high-value '
'geopolitical targets.',
'impact': {'brand_reputation_impact': ['potential reputational damage to ASUS '
'due to exploited EOL devices'],
'operational_impact': ['routers repurposed as relay nodes for '
'espionage traffic',
'obfuscation of threat actor origin',
'potential staging for high-value attacks'],
'systems_affected': ['thousands of ASUS routers']},
'initial_access_broker': {'backdoors_established': ['self-signed TLS '
'certificate for '
'persistent C2'],
'entry_point': ['exploited n-day vulnerabilities in '
'ASUS routers'],
'high_value_targets': ['geopolitical entities in '
'Taiwan/Southeast Asia']},
'investigation_status': 'ongoing (disclosed by SecurityScorecard/ASUS)',
'lessons_learned': ['End-of-life (EOL) devices pose significant risks if left '
'unpatched or in use.',
'State-sponsored actors leverage n-day vulnerabilities in '
'legacy systems for espionage infrastructure.',
'Long-lived certificates (e.g., 100-year TLS) can serve '
'as indicators of sophisticated, persistent campaigns.',
'Geopolitical alignment of compromised assets (e.g., '
'Taiwan/Southeast Asia) highlights strategic targeting.'],
'motivation': ['cyber-espionage',
'geopolitical targeting',
'resilient C2 infrastructure'],
'post_incident_analysis': {'root_causes': ['Use of EOL routers with unpatched '
'n-day vulnerabilities',
'Lack of automatic updates or user '
'patching for legacy devices',
'Abuse of trusted firmware '
'(AsusWRT) for malicious '
'purposes']},
'recommendations': ['Replace or decommission EOL networking devices to '
'eliminate attack surfaces.',
'Monitor for unusual certificate lifetimes (e.g., '
'100-year TLS) as potential IoCs.',
'Implement network segmentation to limit lateral movement '
'via compromised routers.',
'Enhance detection for ORB (Operational Relay Box)-like '
'traffic patterns.',
'Public-private collaboration for threat intelligence '
'sharing (e.g., ASUS-SecurityScorecard model).'],
'references': [{'source': 'TechRadar'},
{'source': 'SecurityScorecard & ASUS joint report'}],
'response': {'communication_strategy': ['public disclosure via '
'SecurityScorecard/ASUS report',
'media coverage (e.g., TechRadar)'],
'incident_response_plan_activated': ['collaboration between '
'SecurityScorecard and '
'ASUS'],
'third_party_assistance': ['SecurityScorecard']},
'threat_actor': ['Chinese state-sponsored actors'],
'title': 'Operation WrtHug: Thousands of expired ASUS routers hijacked into '
'cyber-espionage botnet',
'type': ['botnet', 'cyber-espionage', 'supply chain compromise'],
'vulnerability_exploited': ['CVE-2023-41345',
'CVE-2023-41346',
'CVE-2023-41347',
'CVE-2023-41348',
'CVE-2024-12912',
'CVE-2025-2492']}