One research report cited by O’Rielly came from Check Point, which discovered that a Chinese state-sponsored APT group it tracks as Camaro Dragon implanted a malicious backdoor called Horse Shell that was tailored for TP-Link routers. Check Point notes that Horse Shell “is a binary compiled for MIPS32 MSB operating system and written in C++. Many embedded devices and routers run MIPS-based operating systems, and TP-Link routers are no different.”
Malware could have just as easily been planted on other brands’ equipment
The author of that report, Itay Cohen, research lead at Check Point, tells CSO that the Chinese threat group could have just as easily implanted the malware on routers from US-based Cisco, which are manufactured in Korea, China, Taiwan, Malaysia, and Singapore, or US-based Netgear, which outsources its router manufacturing to electronics companies in other countries, including China or Taiwan.
“In many cases, the same attackers are using different router vendors,” Cohen says. “There is a chance that in the attack we analyzed, more router vendors were infected in the chain. Even though we found it for TP-Link-specific versions, the code was not written specifically for TP-Link. It was generic enough that it theoretically could have been written as a framework that the attackers deploy on other routers or other vendors.”
