China-linked threat groups are increasingly using an emerging method to create botnet-like networks of compromised devices that make it easier for them to move through networks undetected to gather information or run other operations.
Cybersecurity analysts have been researching Operational Relay Boxes (ORBs) since 2020, but more recently, they have been detecting campaigns linked to China-Nexus bad actors using the technique, according to a report by SecurityScorecard. The researchers point to a report last year by Google-owned Mandiant tracking the brief history of ORB networks as well as the growing number of threat analysts finding such networks.
“The rise of ORB Networks as a main TTP [tactic, technique, and procedure] for China nexus APTs [advanced persistent threats] poses a significant challenge to traditional security best-practices by eroding the importance of Indicators of Compromise (IOC) tracking, due to the sheer number of nodes and the rapid pace at which they change,” the SecurityScorecard researchers wrote.
In the report, they dive deep into a growing ORB network they’re calling LapDogs that comprises more than 1,000 compromised devices. The network is extensive, targeting mostly Linux-based small office and home office (SOHO) devices, though there are some Windows-based systems included. The ORB network consists primarily of older routers and other devices with firmware that’s unpatched or outdated, with most concentrated in the United States and Southeast Asia, including Japan, South Korea, Hong Kong, and Taiwan.
Of the targeted devices, about 55% are Ruckus Wireless access point devices, while Buffalo Technology’s AirStation wireless routers were also high on the list. Many of the victims were in sectors such as IT, networking, media and real estate, according to SecurityScorecard.
LapDogs and ShortLeash
Key to LapDogs is the use of a backdoor dubbed “ShortLeash,” which gives the threat actor a persistent presence in compromised devices and connects them into the network. To further cover the campaign’s activities, ShortLeash also creates unique, self-signed TLS certificates with spoofed metadata for each node, including some that appear to have been signed by the Los Angeles Police Department, an indication that the hackers are trying to seem to be a legitimate LAPD network device.
“ShortLeash enables unnoticed operation with high-level privileges, creating backups for persistence,” the researchers wrote, adding that evidence that include Mandarin developers’ notes in startup scripts, tools, techniques, and victimology bolsters the argument that LapDogs is run by Chinese APTs and similar ORBs. “LapDogs shares commonalities with some prolific China-Nexus ORB networks, most notably PolarEdge, while conclusively standing out as an independent ORB.”
The LapDogs ORB has been around since at least September 2023 and is steadily growing, they wrote, noting that it “shows signs of a vast and prolonged intrusion operation that is carried out with intent and planning for both the overarching picture and the finer details.”
In addition, LapDogs shows many of the same characteristics and targets as PolarEdge, an ORB network detected earlier this year by cybersecurity firm Sekoia, though SecurityScorecard views the two as separate entities, pointing to a lack of common code between the two and differences in the infection processes.
ORB Networks and Botnets
Security teams will need to adapt to the growing use of ORB networks given their growing use by China-linked threat groups, the researchers wrote. While in nature they appear to be like botnets, there are differences, including the tendency to be more covert in their operations and a tendency to lean toward espionage campaigns.
“While both ORBs and Botnets commonly consist of a large set of compromised, legitimate internet-facing devices or virtual services, ORB Networks are more like swiss army knives, and can contribute to any stage of the intrusion lifecycle, from reconnaissance, anonymized actor browsing, and netflow collection to port and vulnerability scanning, initiating intrusion cycles by reconfiguring nodes into staging or even C2 servers, and relaying exfiltrated data up the stream,” they wrote.
They’re capable of being used in such high-profile botnet-like campaigns like distributed denial-of-service (DDoS) or brute-force attacks, but the bad actors that use ORB networks tend to want to operate undetected, the researchers wrote, noting that the continued flow of legitimate internet traffic through the networks further obfuscates their activities.
Evading Detection
That said, security analysts are finding them. Mandiant, a year ago, wrote about the trend of China-nexus operators using ORB networks for their espionage campaigns, noting the ability to hide their activities and their use of rented virtual private servers and malware to target routers and grow the number of devices used to relay their traffic. Researchers wrote that “this is an effort to raise the cost of defending an enterprise’s network and shift the advantage toward espionage operators by evading detection and complicating attribution.”
Sekoia analysts wrote about PolarEdge in February, and earlier this month, researchers with SentinelOne’s SentinelLABS unit outlined similar operations run by China-linked operations they called PurpleHaze and ShadowPad.
In March, Cisco’s Talos group wrote about a UAT-5918, an APT group targeting organizations in Taiwan to gain long-term persistent access to their environments. The hackers usually get initial access by exploiting N-day vulnerabilities in unpatched web and application servers exposed to the internet. The threat actor will subsequently use a plethora of open-source tools for network reconnaissance to move through the compromised enterprise.”
Attribution a Challenge
The SecurityScorecard analysts said determining the group operating an ORB network is difficult because the networks tend to be shared by multiple threat actors for separate campaigns. That said, as with UAT-5918, they determined, through the Mandarin code notes in ShortLeash and the focus on Southeast Asian victims, that LapDogs is an ORB network used by China-nexus groups. They also determined that UAT-5918 used the network at least once.
The LapDogs campaign “shows a surging interest from China-Nexus threat actors in using ORB Networks to conduct covert intrusion campaigns both around the globe and tailored to specific victims of interest,” they wrote. “With an increasing interest in this approach, security teams should be on alert that China-Nexus threat actors are disrupting traditional playbooks for IOC tracking, response, and remediation.”
The Mandiant researchers wrote that “if network defenders can shift the current enterprise defense paradigm away from treating adversary infrastructure like indicators of compromise (IOCs) and instead toward tracking ORB networks like evolving entities akin to APT groups, enterprises can contend with the rising challenge of ORB networks in the threat landscape.”
