WASHINGTON — The U.S. government has launched a national security investigation into TP-Link, the China-founded router maker whose equipment now dominates the American market and has been targeted in repeated Chinese cyberattacks, people familiar with the matter said.

The probe opens a new front in the U.S. push to crack down on China-linked technology firms deemed a possible threat to U.S. networks and data. It singles out a company that had largely escaped national security notice even as TP-Link came to lead the market for home and small-office routers, which relay information from the internet to devices such as computers and smartphones.

Investigators from the Commerce Department subpoenaed TP-Link this month seeking details including its company structure, according to the people who asked not to be identified discussing a matter that hasn’t been publicly announced. The inquiry was reported earlier Wednesday by The Wall Street Journal.

The probe was launched in response to an August letter by the co-chairs of a bipartisan House of Representatives select committee on China, the people said. The lawmakers urged the agency to investigate the “glaring national security issue” posed by TP-Link’s dominant U.S. market share.

They also cited Chinese laws requiring companies to aid the state’s military and intelligence objectives, and frequent Chinese state-backed cyberattacks exploiting routers.

The executive order that serves as the basis for the probe gives the U.S. sweeping power to ban information and communications technology firms linked to foreign adversaries from operating in the U.S. if they’re found to pose an “unacceptable risk” to national security.

A Commerce Department spokeswoman declined to comment on the probe.

A spokeswoman for TP-Link Systems Inc. said the company “welcomes opportunities to engage with the U.S. government to demonstrate that its security practices are fully in line with industry security standards, and to demonstrate its ongoing commitment to the U.S. market and U.S. consumers.”

The company in recent months accelerated an effort to distance itself from its Chinese origin. TP-Link Systems is an entity based in Irvine, California, that was renamed in July, according to the spokeswoman. It is no longer affiliated with TP-Link Technologies, the company founded in China in 1996 and long co-owned by brothers Zhao Jianjun and Zhao Jiaxing, according to the spokeswoman.

Following a restructuring process this year, Zhao Jiaxing now owns 97.5% of the China business, and Zhao Jianjun and his wife own 100% of the U.S. and other businesses that have been consolidated under the California entity, she said.

The couple intend to become U.S. permanent residents and apply for citizenship, she added.

The moves to distance the company from China follow in the footsteps of other firms that have come under U.S. regulatory scrutiny and only deepened investigators’ skepticism of TP-Link, the people familiar with the matter said.

Potential Restrictions

Ownership aside, the people familiar with the probe said investigators fear that TP-Link is using what many U.S. national security professionals refer to as “the Huawei playbook.”

That’s a reference to claims by the U.S. government and lawmakers that Huawei Technologies Co. is a Chinese government spy tool that became a dominant player in the global networking equipment sector on the back of improper state subsidies. The company and Beijing have denied those assertions.

U.S. regulators have imposed restrictions that make it harder for Huawei to sell equipment in the U.S. and buy parts from American suppliers.

In the TP-Link investigation, U.S. officials have been struck by data showing how TP-Link undercut competitors on price to amass a majority share of the U.S. market for routers aimed at homes and small businesses — dubbed SOHO routers — in less than six years, the people familiar with the matter said.

TP-Link’s market share gains have come alongside an increase in Chinese state-sponsored hacking activity targeting SOHO routers, further alarming investigators, they said.

Hackers can intercept or alter communications running through routers as well as remotely disable them, cutting off users’ internet access. They can also use compromised routers to assemble a botnet to disguise the origin of attacks against their ultimate targets.

TP-Link routers were among the various brands — including American ones — exploited by Chinese state-sponsored hackers who launched the massive Volt, Flax and Salt Typhoon attacks, U.S. officials have determined, according to some of the people familiar with the matter.

Those hacks targeted U.S. critical infrastructure such as water and transportation networks, as well as telecom and internet firms. Investigators are also concerned about a series of Chinese state-sponsored hacks dubbed Camaro Dragon that used compromised TP-Link routers to target European foreign affairs entities.

There is no evidence that TP-Link was complicit in any of the attacks. Security researchers at Lumen Technologies’ Black Lotus Labs, which identified the Flax Typhoon hack, and at Check Point Software Technologies, which identified Camaro Dragon, have also said they found no such evidence.

“The hackers use the devices as an anonymization network,” Check Point’s Itay Cohen said in an interview. “They don’t care who makes them.”

Market Share

TP-Link now has about 60% of the U.S. retail market for wi-fi systems and SOHO routers compared with about 10% of the market at the start of 2019, according to the data that investigators are reviewing, the people familiar with the inquiry said. In the category of wifi 7 mesh systems — the most advanced on the market — TP Link has almost 80% of the U.S. retail market, that data shows, according to the people.

The TP-Link spokeswoman did not comment on the data prior to publication and then disputed it afterward, saying it overstated the company’s market share.

TP-Link has also recently signed deals with internet service providers who then supply the routers to their customers, according to a post by Wi-Fi NOW, a trade group of which TP-Link is a member. The company signed 300 such agreements over the past two years, primarily with wireless internet service providers, the post says.

In a speech in September, Rep. John Moolenaar, the Michigan Republican who serves as co-chairman of the House China committee that sent the letter prompting the TP-Link probe, said policymakers should be on the lookout for “loaded guns” and not “smoking guns” when it comes to the China threat.

Looking for a “smoking gun” is “the wrong way to think about China-related risk,” he said, without mentioning TP-Link. “After all, a smoking gun means a shot has already been fired.”

He described the threat as coming from “Chinese companies that, because of the technology they provide or the supply chains they impact, pose an unacceptable risk to our country’s security.”

The new authorities under which the Commerce Department is now investigating TP-Link were designed to assess China risks from that perspective. In June, the agency blocked Russian-controlled cybersecurity firm Kaspersky Lab from doing business in the U.S. due to its assessment that it threatened security as opposed to any overt act.

At the time, the Commerce Department warned the action would be “the first of many.”

©2024 Bloomberg L.P. Visit bloomberg.com. Distributed by Tribune Content Agency, LLC.