Chinese-backed threat actors are increasingly relying on proxy networks known as operational relay boxes (ORBs) to gain an advantage when conducting espionage operations, Mandiant has observed.
This attack tactic allows these advanced persistent threat (APT) groups to raise the cost of defending an enterprise’s network and shift the advantage toward espionage operators by evading detection and complicating attribution.
In a report published on May 22, Google-owned Mandiant described how Chinese nation-state groups, including the infamous Volt Typhoon, leverage ORB networks to deploy cyber espionage campaigns.
How ORBs Can Be Used in Cyber-Attacks
In the realm of cyber espionage, an operational relay box (ORB) network is a covert system employed by intelligence agencies.
Like bot networks (botnets), ORB networks are mesh networks comprised of compromised devices, including virtual private servers (VPS), Internet of Things (IoT) devices, smart devices and routers. These devices constitute the nodes of the ORB network.
These devices are scattered around the globe and used as proxies for an intelligence service or a cyber espionage group, essentially turning them into secret outposts.
Mandiant classifies ORB networks into two fundamental types:
- Provisioned networks are made up of commercially leased virtual private server space that are managed by ORB administrators (e.g. ORB3, or SPACEHOP, administered by Chinese intelligence services)
- Non-provisioned networks are often made up of compromised and end-of-life router and IoT devices (e.g. ORB1, or ORBWEAVER and ORB2, or FLORAHOX)
It is also possible for an ORB to be a hybrid network combining both leased VPS devices and compromised devices.
ORB administrators rely on autonomous system number (ASN) providers in different parts of the world to reduce exposure or dependence on any one nation’s internet infrastructure.
An ASN identifies a unique network or group of networks on the internet that share a common routing policy and are managed by a single administrative entity. Most ASNs are allocated to network operators (internet service providers, mobile network operators…), although other entities like research labs, military services and universities also have distinctive ASNs.
Read more: CISA Warns Critical Infrastructure Leaders of Volt Typhoon
ORBs create a network interface, administer a network of compromised nodes, and contract access to those networks to multiple APT actors that will use the ORB networks to carry out their own distinct espionage and reconnaissance.
These networks are not controlled by the APT actors but rather are temporarily used by them, often to deploy custom tooling more conventionally attributable to known China-nexus adversaries.
No tags.
