Chinese 'ORB' Networks Conceal APTs, Render Static IoCs Irrelevant

Chinese threat actors have been quietly and gradually revolutionizing anti-analysis techniques by hiding their malicious activities behind vast global networks of proxy devices.

At issue: the operational relay box network (ORB), a vast infrastructure comprised of virtual private servers (VPS) and compromised smart devices and routers. Often alluded to yet rarely identified as distinct operational structures, ORBs have been around for years. But only since 2020 have they increasingly become so common, layered, and active as they are in China today — and, to a lesser extent, in other prominent cyber-threat hubs like Russia, new analysis shows.

Analysts from Mandiant warn in a new report published today that defenders now have to upend the fundamental ways they've been tracking and blocking threats for decades.

In fact, since Chinese ORBs have become so popular and effective at concealing their patrons, cyber defenders may now need to scrap the notion of attacker IPs as a static indicator of compromise (IoC) altogether. In its report, Mandiant argues that command-and-control infrastructures should be thought of as advanced persistent threats (APTs) in and of themselves, with their own shifting tactics, techniques, and procedures.

"What you're dealing with, as an enterprise, is the professionalization of infrastructure-as-a-service," says Michael Raggi, principal analyst with Mandiant by Google Cloud. "It's no longer [the case that] if you see a threat actor utilizing a single IP, that we can attribute that activity to a single threat actor. Instead, all we're really able to say is this threat actor is using this support network in this time period. There might be other APT actors utilizing that ORB network at the same time, even egressing from the same network IPs."

China's ORBs

ORBs are maintained either by private companies or elements within the government of the People's Republic of China. Each one facilitates not just one but multiple threat clusters at any given time.

They're made up of five layers in all:

ORBs can be further classified into two groups, according to Mandiant: provisioned, where traversal nodes are commercially rented VPS's and nonprovisioned, built on compromised and end-of-life routers and Internet of things (IoT) devices. ORBs also can be a hybrid of the two groups. A wide range of threat actors have been observed utilizing each of these different forms of ORBs, according to Mandiant.

Provisioned or otherwise, the traversal and exit nodes are aggregated in bulk from around the world. The sheer size and scope of these networks, often hundreds of thousands of nodes deep, provides a great deal of cover, forcing defenders to wade through thick fog in attempting to attribute and learn more about attackers. ORBs' geographic spread has additional benefits, too, reducing the exposure to and dependence on any one nation's infrastructure, and allowing hackers in China to circumvent geographic restrictions or simply appear less suspicious by connecting to targets from within their own region.

Most important of all — more than their type, volume, and spread — is that ORB nodes are short-lived. New devices typically are cycled in and out every month or few months, and network providers compete over the rate at which they turn over their assets. The idea is to prevent defenders from tying IPs to their users for any good amounts of time.

At the end of all of this, you get something like ORB2 Florahox or ORB3 Spacehop. The former, a hybrid network made up of multiple subnets that uses various payloads to recruit and organize Cisco, ASUS, and other popular routers, has in the past been leveraged by APT 31 (aka Zirconium), among other groups. The latter, a flatter, provisioned ORB, has been active since at least 2019 and used in campaigns affecting organizations in North America, Europe, and the Middle East. For example, China's APT 5 utilized Spacehop as part of a high-profile 2022 campaign targeting Citrix ADC and Gateway devices.

What Defenders Must Do Now

Through all of cyber history up to this point, organizations have used firewalls to block attackers' IP addresses. Now that attackers have access to hundreds of thousands of constantly changing IPs at a time, the whole exercise is moot, according to Mandiant.

Now organizations have to engage with ORBs as their own distinct, dynamic entities, worthy of analysis and consistent monitoring like the attackers using them.

"Rather than waiting to be reactive or responsive to block each IP as an indicator of compromise," Raggi suggests, "you're rather trying to look at the patterns of infrastructure that they're registering. You're looking at: What types of routers are they compromising? What ports and services do I see they're coming from? You should also look at certain patterns that exist with SSL certificates or SSH certificates, so you have a profile of activity to look for."

He adds: "By getting familiar with an ORB network as an independent entity, you can create behavior-based signatures that are less rigid than [static] indicators of compromise."