Threat actors are continuously evolving their techniques to remain undetected when infiltrating organizations, with new research revealing how persistent groups like Volt Typhoon evade detection.
Mandiant has seen increased use of operational relay box networks (ORBs) to obscure indicators of compromise (IoC). These ORBs are essentially a botnet consisting of IoT devices, virtual private servers, smart devices, and older routers that no longer receive security updates.
This complex network of devices helps conceal the activities of threat actors, with Mandiant identifying with moderate confidence that this technique is used to push back against defenders by obscuring their activities and complicating attribution.
Threat actors turn to global FRMs
To break it down into simpler terms, an ORB is a collection of devices from around the world that are controlled and operated by independent entities and individuals within the People’s Republic of China. The ORB network is used by many different APT groups to cover up their activities.
John Hultquist, Mandiant Principal Analyst at Google Cloud, summarized the use of ORBs, stating that “Chinese cyber espionage was once noisy and easily traceable. This is a new type of opponent.”
By routing their internet traffic through devices that are geographically close to the target organization, threat actors can blend in with traffic that might otherwise appear legitimate. This technique is especially effective against enterprise-level organizations with constantly changing infrastructure.
More often than not, the owners of the compromised devices are unaware that they are contributing to the ORB, with some IPv4 addresses only active as nodes in the network for 31 days.
By leveraging ORB networking, threat actors remove the typical IoCs that defenders rely on to identify a potential breach or intrusion. Typically, a defender can be alerted to traffic that is outside the geographic boundaries of their network, or can attribute an attack to a specific actor by analyzing the network infrastructure used to carry out the attack.
“ORB networks are one of the key innovations in Chinese cyber espionage challenging defenders. They are like a maze that is constantly reconfigured, with the entrance and exit disappearing from the maze every 60 to 90 days,” said Michael Raggi, Mandiant Principal Analyst at Google Cloud.
“To target someone, these actors could be coming from a home router down the street. It is not unusual for a completely unwitting person’s home router to become involved in an act of espionage,” he concluded.