Global botnets are being abused by hackers — and they can even hide all the evidence using ORB networks
China-nexus ORB networks abuse IoT devices to hide attacker activity, Mandiant warns
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Threat actors are constantly evolving their techniques to remain undetected when infiltrating organizations, with newresearchrevealing how persistent groups like Volt Typhoon are evading detection.
Mandiant has observed increased usage of operational relay box networks (ORBs) to obscure indicators of compromise (IoC). These ORBs are essentially a botnet made of IoT devices, virtual private servers, smart devices, and older routers that no longer receive security updates.
This complex mesh of devices helps to hide the activity of threat actors, with Mandiant assessing with moderate confidence that this technique is being used to push back against defenders by hiding their activity and complicating attribution.
Threat actors turn to global ORBs
To break it down into more simple terms, an ORB is a collection of devices from around the globe managed and administered by independent entities, and individuals within the People’s Republic of China. The ORB network is used by many different APT groups to obfuscate their activity.
John Hultquist, Mandiant Principal Analyst atGoogleCloud, summed up the use of ORBs, stating that, “Chinese cyber espionage was once noisy and easily trackable. This is a new type of adversary.”
By cycling their internet traffic through devices located geographically nearby to the target organization, threat actors can blend in with traffic that may otherwise appear legitimate. This technique is particularly effective against enterprise-level organizations with a constantly changing infrastructure.
More often than not, the owners of the compromised devices are not aware that they are contributing to the ORB, with some IPv4 addresses only being active as a node in the network for as few as 31 days.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
By using ORB networks, threat actors are removing the typical IoCs on which defenders rely to identify a potential breach or intrusion. Typically, a defender could be alerted to traffic that is outside the geographical boundaries of their network, or be able to attribute an attack to a particular actor by analyzing the network infrastructure used to launch the attack.
“ORB networks are one of the major innovations in Chinese cyber espionage that are challenging defenders. They’re like a maze that is continually reconfiguring with the entrance and the exit disappearing from the maze every 60 - 90 days,” said Michael Raggi, Mandiant Principal Analyst at Google Cloud.
“In order to target someone, these actors may be coming from a home router right down the street. It’s not unusual for an entirely unwitting person’s home router to be involved in an act of espionage,” he concluded.
More from TechRadar Pro
Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.
Google puts Nvidia on high alert as it showcases Trillium, its rival AI chip, while promising to bring H200 Tensor Core GPUs within days
A new form of macOS malware is being used by devious North Korean hackers
How to turn off Meta AI
