ORBs: Hacking groups’ new favourite way of keeping their attacks hidden

Cyber-espionage groups are making it harder to spot where their attacks are coming from by upping their usage of proxy networks – known as operational relay box networks or ORBs – that can throw defenders off the scent.

Cyber security company Mandiant has warned that it has seen a growing trend for China-backed espionage operations, in particular, to use ORBs to cover their tracks.

These ORB networks are somewhat like botnets and can be made up of virtual private servers (VPS), as well as compromised internet of things (IoT) devices and insecure routers. This combination makes it harder for defenders to track attacks because these groups can disguise traffic between their command-and-control infrastructure and their final targets.

ORB networks are one of the major innovations in Chinese cyber espionage that are challenging defenders, said Michael Raggi, Mandiant principal analyst at Google Cloud.

“They’re like a maze that is continually reconfiguring with the entrance and the exit disappearing from the maze every 60 to 90 days,” he said. “To target someone, these actors may be coming from a home router right down the street. It’s not unusual for an entirely unwitting person’s home router to be involved in an act of espionage.” 

These networks are often built by renting VPS and using malware designed to target routers to grow the number of devices capable of relaying traffic. Because the makeup of these networks changes rapidly, using an ORB network makes it harder to spot attacks and pin them on a particular group in terms of attribution.

That makes classic indicators of compromise (IOC) – the tech details and clues commonly shared about attacks – less useful because these groups will regularly cycle through network infrastructure.

The scale of these networks, Mandiant said, means attackers can piggyback on devices that have a handy geographic proximity to targeted enterprises. That allows their malicious traffic to blend in when being reviewed by analysts.

“One such example would be traffic from a residential ISP that is in the same geographic location as the target that is regularly used by employees and would be less likely to get picked up for manual review,” said Mandiant’s report.

As a result, the security company said, enterprise security teams should shift their thinking. That means that rather than treating ORB networks as just part of the infrastructure used by attackers, they should track ORBs “like evolving entities akin to APT [advanced persistent threat] groups”.

ORB networks are not a new invention and have regularly been used as part of espionage campaigns to obscure who the attacker is and where they are. But Mandiant said the use of these networks by China-backed espionage actors has become more common over recent years.

These ORBs are infrastructure networks run by contractors or others within China. They are not controlled by a single APT espionage or hacking group, but are shared between them, which Mandiant said means multiple APT actors will use the ORB networks to carry out their own distinct espionage and reconnaissance.

This infrastructure often shifts – the lifespan of an IPv4 address associated with an ORB node can be as short as 31 days. Mandiant said a competitive differentiator among ORB network contractors in China appears to be their ability to cycle significant percentages of their compromised or leased infrastructure on a monthly basis.

That means just blocking the infrastructure linked to an ORB network at a particular time is not going to be as effective as was previously the case. “As a result, IOC extinction is accelerating and the shelf life of network indicators is decreasing,” Mandiant said.

“Infrastructure or the compromised router device communicating with a victim environment may now be identifiable to a particular ORB network, while the actor using that ORB network to carry out the attack may be unclear and require investigation of the complex tools and tactics observed as part of an intrusion,” the report said.

John Hultquist, Mandiant chief analyst, Google Cloud, added: “Chinese cyber espionage was once noisy and easily trackable. This is a new type of adversary.”

The nodes in an ORB network are usually distributed globally. Mandiant gives the example of one it tracks as ORB3 or Spacehop, which it described as a very active network used by multiple China-backed groups.

It uses a relay server hosted in either Hong Kong or China by cloud providers, while the relay nodes are often cloned Linux-based images, which are used to proxy malicious network traffic through the network to an exit node that communicates with targeted victim environments.

Mandiant said it was notable that this network has a “robust volume” of nodes in Europe, the Middle East, and the US – all of which are regions targeted by China-backed APT15 and ATP5.

In contrast, another network that Mandiant tracks (known as ORB2 or Florahox) also features compromised network routers and IOT devices. The network appears to contain several subnetworks composed of compromised devices recruited by the router implant known as Flowerwater.

Mandiant said that all of this creates a problem for defenders, because rather than simply blocking infrastructure associated with attackers they now have to consider what infrastructure is part of the ORB network right now, for how long, and who is using the ORB network.

Mandiant added that the best way to deal with the challenge posed by ORB networks is to stop tracking espionage command and control infrastructure as an inert indicator of compromise and start tracking it as an entity in itself.

“Instead, infrastructure is a living artifact of an ORB network that is a distinct and evolving entity where the characteristics of IP infrastructure itself, including ports, services, and registration/hosting data, can be tracked as evolving behaviour by the adversary administrator responsible for that ORB network,” Mandiant said.

It warned that the rise of the ORB industry in China points to long-term investments in equipping China-backed cyber operations with more sophisticated tactics and tools.

“Whether defenders will rise to this challenge depends on enterprises applying the same deep tactical focus to tracking ORB networks as has been done for APTs over the past 15 years,” Mandiant said.