Chinese Hackers Using ORB Proxy Networks For Stealthy Cyber Attacks

Researchers found that cyber espionage groups with ties to China are increasingly using complicated proxy networks called Operational Relay Box (ORB) networks.

These networks are made up of mesh networks made from hacked devices and commercially leased virtual private servers (VPS). 

Unlike traditional botnets, ORBs can be a hybrid of both, offering threat actors a constantly evolving infrastructure that’s difficult to track by reporting details of the framework developed by Mandiant to map these ORBs, allowing defenders to identify potential infiltration attempts.

One such network, ORB3 (also known as SPACEHOP), has been linked to the well-known Chinese APT (Advanced Persistent Threat) groups APT5 and APT15.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

At the same time, SPACEHOP is believed to be used for tasks like initial reconnaissance and vulnerability exploitation. 

It has been highlighted that while using proxy networks for espionage isn’t new, the scale and sophistication of ORBs employed by Chinese actors are a significant development.

By leveraging ORBs, Chinese APT groups can mask the origin of their malicious traffic, making it harder for defenders to identify and block communication between the attackers’ command and control (C2) infrastructure and the targeted victim’s network.

It extends to compromised devices on the victim’s network’s edge, potentially including those exploited through zero-day vulnerabilities. 

The adversary-controlled operation servers (ACOS) and relay nodes within these ORBs are typically hosted in Chinese and Hong Kong IP spaces, further complicating attribution efforts.

The increased use of ORBs raises the bar for defenders as traditional methods of identifying and blocking malicious IP addresses become less effective due to the constantly shifting nature of the proxy network. 

Mandiant’s research suggests that defenders must adopt a more comprehensive strategy, including monitoring network traffic for suspicious behavior patterns and anomalous communication flows, even if they originate from seemingly legitimate IP addresses. 

The focus on behavioral analysis and threat intelligence feeds that track known ORB indicators of compromise (IOCs) can help defenders improve their ability to detect and disrupt ongoing cyber espionage attempts. 

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.