Hackers are exploiting global botnets – they can even hide all evidence using the ORB network

Criminals are constantly refining their techniques to remain undetected when infiltrating organizations, and new research shows how persistent groups like Volt Typhoon avoid detection.

Mandiant has observed increased use of operational relay box (ORB) networks to obfuscate indicators of compromise (IoC). These ORBs are essentially a botnet consisting of IoT devices, virtual private servers, smart devices, and legacy routers that no longer receive security updates.

This complex mesh of devices helps conceal the activity of threat actors, and Mandiant estimates with moderate confidence that this technique is being used to counter attacks on defenders by concealing their activity and complicating attribution.

Threat actors turn to global ORBs

Simply put, an ORB is a collection of facilities from around the world managed and administered by independent entities and individuals in the People’s Republic of China. The ORB network is used by many different APT groups to obfuscate their activities.

John Hultquist, Mandiant’s principal analyst at Google Cloud, summarized ORB’s use by stating that “Chinese cyber espionage used to be noisy and easy to track. This is a new type of opponent.”

By relaying internet traffic through devices near the target organization, threat actors can interfere with traffic that might otherwise seem legitimate. This technique is particularly effective for enterprise-level organizations with constantly changing infrastructure.

Most often, owners of compromised devices are unaware that they are contributing to the ORB because some IPv4 addresses are active as nodes in the network for only 31 days.

Using ORB networks, cybercriminals take down common IoCs that defenders rely on to identify a potential breach or intrusion. Typically, a defender can be alerted to traffic escaping the geographic boundaries of its network or can attribute the attack to a specific actor by analyzing the network infrastructure used to carry out the attack.

“ORB networks are one of the main innovations in Chinese cyber espionage and pose a challenge to defenders. They are like a maze that is constantly changing, with the entrance and exit disappearing every 60 to 90 days,” said Michael Raggi, principal analyst for Mandiant at Google Cloud.

“To target someone, they could be coming from a home router down the street. It is not unusual for a completely unaware person’s home router to be involved in an act of espionage,” he concluded.