Chinese threat actors are evolving their tactics to bypass traditional cybersecurity defenses by leveraging ORB Networks, presenting a new and complex challenge for defenders. These networks, consisting of multiple layers managed by private entities or the Chinese government, offer threat actors a constantly shifting pool of IP addresses to mask their activities and make attribution difficult for defenders.
Research from Mandiant has highlighted the extensive size and scope of ORBs, with hundreds of thousands of nodes providing cover for attackers. The geographic spread of these networks allows hackers in China to appear less suspicious by connecting to targets from their own region, while the short-lived nature of ORB nodes makes it challenging for defenders to track IP addresses to specific users over time.
The operational relay box networks (ORBs) are composed of five layers, including Chinese servers, virtual private servers (VPS), traversal nodes, exit nodes, and victim servers. These networks can be provisioned using commercially rented VPSs or non-provisioned using compromised routers and IoT devices, resembling botnets in their ability to conceal espionage operations.
Two notable examples of ORB networks, ORB3/SPACEHOP and ORB2/FLORAHOX, have been linked to advanced persistent threat (APT) groups targeting entities globally. These networks demonstrate the complexity and sophistication of ORB infrastructure in evading detection and attribution.
In response to the threat posed by ORB networks, researchers recommend that defenders shift their strategy from simply blocking adversary infrastructure to analyzing the evolving characteristics of these networks. By focusing on the tactics, techniques, and procedures (TTPs) of ORB operators, defenders can develop more effective defenses against these evolving threats.
While the use of proxy networks for attack obfuscation is not new, the emergence of ORB networks in China indicates a long-term investment in equipping cyber operators with advanced tools and tactics. This evolution underscores the need for enterprises to adopt a mindset of continuous adaptation and investment in advanced threat intelligence and skilled personnel to effectively counter these threats.
In conclusion, the rise of ORB networks poses a significant challenge to cybersecurity defenders, requiring a more nuanced and adaptive approach to threat mitigation. By understanding the complexities of these networks and investing in advanced defenses, organizations can better protect against the evolving tactics of threat actors in the digital landscape.