May 22, 2024 at 01:40PM
China-linked state-backed hackers are using operational relay box (ORB) networks as proxy meshes for cyberespionage operations. These ORBs involve hybrid combinations of VPS services and compromised IoT devices. Two networks, ORB3/SPACEHOP and ORB2/FLORAHOX, are being used for reconnaissance and vulnerability exploitation, creating challenges for detection and attribution. Attackers are evading tracking by rapidly cycling through nodes with short IPv4 lifespans and using diverse geographic locations for malicious traffic. Enterprise defense is increasingly complex due to these developments.
After reviewing the meeting notes, the key takeaways include:
1. China-linked state-backed hackers are leveraging operational relay box (ORB) networks for cyberespionage operations. These networks consist of compromised online devices and virtual private servers (VPS), creating challenges in detection and attribution due to the broad geography and lack of control by the threat actor.
2. Security firm Mandiant has been tracking multiple ORBs, such as ORB3/SPACEHOP and ORB2/FLORAHOX, used by advanced threat actors known for espionage and intellectual theft operations linked to China.
3. ORB3/SPACEHOP is a provisioned network hosted in Hong Kong or China, used for reconnaissance and vulnerability exploitation, while ORB2/FLORAHOX is a hybrid network consisting of compromised devices, VPS services, and TOR nodes to obfuscate traffic from the source.
4. ORB networks have essential components, including an Adversary Controlled Operations Server (ACOS), relay nodes, traversal nodes, exit/staging nodes, and victim servers, which enable them to facilitate cyberattacks stealthily and independently from internet infrastructure.
5. The use of ORBs poses significant challenges for enterprise defense, including stealth and resilience, short lifespans of ORB node IPv4 addresses, use of Autonomous System Number (ASN) providers, and targeting enterprises from devices in close geographic proximity to evade detection.
6. With adversaries increasingly using ORBs, protecting enterprise environments becomes more difficult, as detection becomes complex, attribution is complicated, and indicators for adversary infrastructure are less useful for defenders.
These insights provide a comprehensive understanding of the emerging threat landscape and the challenges associated with defending against ORB networks.