Chinese state-sponsored hackers have infiltrated over 1,000 routers worldwide, transforming small office and home office devices into a sprawling espionage network that targets critical sectors across the United States and Asia-Pacific region. The campaign, known as LapDogs, began in September 2023 and has compromised up to 60 devices per operational run, creating what researchers call Operational Relay Boxes.
The attackers employ sophisticated firmware manipulation techniques, including hot patching, bootloader modifications, and complete firmware replacement to bypass router security features. With data breach costs averaging $4.35 million, organizations face severe financial risks from these intrusions. They exploit vulnerabilities in outdated SSH services, particularly CVE-2015-1548 and CVE-2017-17663, found in Ruckus Wireless and Buffalo Technology routers. These compromised devices serve as relay points, masking the origin and destination of malicious traffic through everyday networking equipment.
Central to the operation is ShortLeash, a custom backdoor that allows remote command execution and maintains persistent access to infected devices. The malware can survive device reboots and firmware updates by embedding itself into startup processes.
Attackers use self-signed TLS certificates posing as legitimate organizations, including certificates labeled “LAPD,” to improve stealth during communications and evade detection systems.
The espionage network spans multiple continents, targeting organizations in IT, media, networking, and real estate sectors across the United States, Southeast Asia, Japan, South Korea, Hong Kong, and Taiwan. The inclusion of real estate companies raises particular concerns about supply chain and infrastructure security vulnerabilities.
To maintain operational security, the hackers disable security logging systems and employ “living off the land” tactics, utilizing legitimate router administration tools to reduce detection likelihood. Specific control packets can trigger the backdoor while bypassing security controls such as access control lists and activity logs. These vulnerabilities are particularly pronounced in devices that have reached end-of-life status, lacking critical security patches and updates that would otherwise protect against such sophisticated attacks.
This methodical approach involves slow, deliberate infections designed to avoid triggering widespread security alerts. The campaign demonstrates sophisticated understanding of industry-specific vulnerabilities, with attackers adapting dual-use tools against various router models and firmware versions.
The botnet infrastructure utilizes hundreds of compromised routers as relay nodes, creating a resilient network that conceals malicious operations within legitimate internet traffic patterns.
