As a tenant well-acquainted with the Faraday cages characteristic of much of Bath’s Georgian architecture, I have often found TP-Link WiFi adapters to be quite useful (after all, that Bridgerton fan fiction will not read itself, especially not on an unreliable internet connection). Regrettably, these adapters, along with numerous other networking products from TP-Link, appear to be highly susceptible to hacking attempts.
The situation is even more alarming: according to Ars Technica, thousands of TP-Link routers have been compromised by hackers allegedly acting on behalf of the Chinese government. These compromised routers have been integrated into a botnet that is launching password spray attacks against Microsoft Azure accounts, generating a significant volume of login attempts from a constantly changing array of IP addresses.
An astonishing 16,000 affected devices have been consolidated into what is referred to as the 7777 (or Quad7) botnet. This designation pertains to the TCP port that reveals the breach on the compromised device, a name introduced by the researcher who first reported it in October 2023.
Regarding Azure, Microsoft’s cloud services have previously faced similar attacks, most recently resulting in unauthorized access to email accounts belonging to several U.S. government agencies. In that case, the hacker group Storm-0558 was identified as responsible, and a recent blog post from Microsoft indicates that this group has been utilizing credentials obtained through the 7777 botnet, implying a “close working relationship” between the hackers and those controlling the botnet.
When hackers gain access through a compromised account, Microsoft has observed that they often move laterally within the network, gathering additional data and attempting to install remote access trojans to facilitate future re-entry. Security researchers from Sekoia TDR and Team Cymru reported that the 7777 botnet was operational as recently as August of this year. Compromised routers have been identified globally, with the highest concentration of affected devices located in Bulgaria, followed closely by Russia, the United States, and Ukraine. This widespread network of devices complicates efforts to identify the origin of the attack or even to confirm that an attack is occurring.
Moreover, the method by which these devices become infected and integrated into the botnet remains unclear. However, before considering the disposal of your TP-Link WiFi adapter, it is important to note that compromised devices can be temporarily disinfected. Since the malware cannot write to the storage of a TP-Link device, a simple reboot may sever the connection—at least until hackers attempt to exploit the back door again. Therefore, it is advisable to periodically reboot your devices. This straightforward recommendation exemplifies why the phrase “have you tried turning it off and on again” continues to resonate.
