Researchers shed light on a growing trend: Chinese cyber espionage actors are increasingly utilizing “Operational Relay Box Networks” (ORBs) to enhance their operations.
ORBs are essentially proxy networks cobbled together from compromised devices and commercially available virtual private servers (VPS), and unlike traditional botnets, ORBs can be hybrid, incorporating both leased VPS services and hacked devices, including outdated routers and Internet-of-Things (IoT) products.
ORB networks are able to effortlessly expand and morph as a result of their flexibility, which makes it difficult to detect and track them.
It has been identified and tracked by multiple ORBs, with two particularly noteworthy ones being leveraged by China-linked Advanced Persistent Threat (APT) groups known for intellectual property theft and espionage.
One such network, ORB3 (also known as SPACEHOP), has been observed facilitating activities by well-known APTs like APT5 and APT15. SPACEHOP is believed to have been instrumental in December 2022’s exploitation of a critical Citrix ADC and Gateway vulnerability (CVE-2022-27518), a vulnerability previously linked to APT5 by the National Security Agency (NSA).
The ability of ORBs to conceal the origin of malicious traffic is the primary benefit that has been derived from their use.
By relaying communication through compromised devices and VPS servers, China-nexus APT groups can mask their command and control (C2) infrastructure, making it challenging to pinpoint the source of the attack and attribute it to Chinese actors, which makes it significantly harder for defenders to identify and block malicious activity.
Mandiant’s research highlights a concerning evolution in Chinese cyber espionage tactics. The strategic use of ORBs raises the bar for defenders, forcing them to expend more resources to uncover and mitigate these complex threats.
By understanding the anatomy of ORBs and the techniques employed by China-nexus APTs, defenders can develop more robust detection and response strategies to counter these increasingly sophisticated attacks.
