Cybersecurity defenders have widely relied on blocking attacker IP addresses through identified IOCs in response to threat actor campaigns. However, Chinese threat actors are rapidly rendering this usual strategy obsolete through the widespread adoption of ORB Networks. ORBs are complex, multi-layered networks, typically managed by private companies or entities within the Chinese government. They offer access to a constantly shifting pool of IP addresses, allowing multiple threat actors to mask their activities behind seemingly innocuous traffic.

Use of ORB Networks by Threat Actors Present Additional Challenges to Defenders

Researchers from Mandiant stated that the sheer size and scope of these networks, often hundreds of thousands of nodes deep, provide a great deal of cover and make it difficult for defenders to attribute and learn more about attackers. Additionally, the geographic spread of ORBs allows hackers in China to circumvent geographic restrictions or appear less suspicious by connecting to targets from within their own region. Most importantly, ORB nodes are short-lived, with new devices typically cycled in and out every month or few months, making it difficult for defenders to tie IPs to their users for any good amounts of time. These operational relay box networks (ORBs) are maintained by private companies or elements within the Chinese government and are made up of five layers: Chinese servers, virtual private servers (VPS), traversal nodes, exit nodes, and victim servers. ORBs can be classified into two groups: provisioned, which use commercially rented VPS's, and nonprovisioned, built on compromised and end-of-life routers and Internet of Things (IoT) devices. These networks are akin to botnets and ORB network administrators can easily grow the size of their network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations. The researchers cited two prominent examples to illustrate the sophistication of these networks:

• ORB3/SPACEHOP: A provisioned network linked to APT5 and APT15, targeting entities in North America, Europe, and the Middle East. Known for exploiting vulnerabilities like CVE-2022-27518.
• ORB2/FLORAHOX: A hybrid network employing compromised Cisco, ASUS, and DrayTek routers, alongside TOR network relays and VPS servers. Linked to APT31 and Zirconium, demonstrating a multi-layered approach to traffic obfuscation.

Adapting to the Threat of ORB Networks

Researchers have advised that instead of simply blocking adversary infrastructure, defenders must now consider temporality, multiplicity of adversaries, and ephemerality. They recommend approaching these ORB networks as distinct entities with distinct tactics, techniques, and procedures (TTPs) rather than the use of inert indicators of compromise. By analyzing their evolving characteristics - including infrastructure patterns, behaviors, and TTPs - defenders can gain valuable insights into the adversary's tactics and develop more effective defenses. While leveraging proxy networks for attack obfuscation isn't new, the rise of the ORB network industry in China points to long-term investments in equipping cyber operators with more sophisticated tactics and tools. The evolution of these ORBs networks also highlight that a static defense may be a losing defense. To counter this growing threat and level the playing field, enterprises must embrace a mindset of continuous adaptation, while investing in advanced threat intelligence, behavioral analysis tools, and skilled personnel. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.