Threat actors are constantly evolving their techniques to remain undetected when infiltrating organizations, with new research revealing how persistent groups like Volt Typhoon are evading detection.
Mandiant has observed increased usage of operational relay box networks (ORBs) to obscure indicators of compromise (IoC). These ORBs are essentially a botnet made of IoT devices, virtual private servers, smart devices, and older routers that no longer receive security updates.
This complex mesh of devices helps to hide the activity of threat actors, with Mandiant assessing with moderate confidence that this technique is being used to push back against defenders by hiding their activity and complicating attribution.
Threat actors turn to global ORBs
To break it down into more simple terms, an ORB is a collection of devices from around the globe managed and administered by independent entities, and individuals within the People’s Republic of China. The ORB network is used by many different APT groups to obfuscate their activity.
John Hultquist, Mandiant Principal Analyst at Google Cloud, summed up the use of ORBs, stating that, “Chinese cyber espionage was once noisy and easily trackable. This is a new type of adversary.”
By cycling their internet traffic through devices located geographically nearby to the target organization, threat actors can blend in with traffic that may otherwise appear legitimate. This technique is particularly effective against enterprise-level organizations with a constantly changing infrastructure.
More often than not, the owners of the compromised devices are not aware that they are contributing to the ORB, with some IPv4 addresses only being active as a node in the network for as few as 31 days.
By using ORB networks, threat actors are removing the typical IoCs on which defenders rely to identify a potential breach or intrusion. Typically, a defender could be alerted to traffic that is outside the geographical boundaries of their network, or be able to attribute an attack to a particular actor by analyzing the network infrastructure used to launch the attack.
“ORB networks are one of the major innovations in Chinese cyber espionage that are challenging defenders. They’re like a maze that is continually reconfiguring with the entrance and the exit disappearing from the maze every 60 – 90 days,” said Michael Raggi, Mandiant Principal Analyst at Google Cloud.
“In order to target someone, these actors may be coming from a home router right down the street. It’s not unusual for an entirely unwitting person’s home router to be involved in an act of espionage,” he concluded.
