RESEARCH: IoCs are dead. Long Live IoCs.

Orb networks, also known as Operational Relay Box (ORB) networks, are sophisticated proxy networks used by APT groups, particularly Chinese cyber-espionage actors, to obfuscate their activities and evade detection.

RESEARCH: IoCs are dead. Long Live IoCs.

Research Summary

Orb networks, also known as Operational Relay Box (ORB) networks, are sophisticated proxy networks used by APT groups, particularly Chinese cyber-espionage actors, to obfuscate their activities and evade detection. These networks typically consist of virtual private servers (VPS), compromised smart devices, and routers. The primary goal of this research was to understand the function and relevance of orb networks, identify their usage by APT groups, uncover associated TTPs, IoCs, and mitigations, and provide a comprehensive report on the findings.

Findings

1. Definition and Function of Orb Networks

Orb networks are vast infrastructures comprised of VPS, compromised smart devices, and routers. They are used to conceal the origin of malicious traffic, making it difficult for defenders to trace and block attacks. These networks have been around for years but have become increasingly common and sophisticated since 2020, particularly in China. ORBs are maintained either by private companies or elements within the Chinese government and facilitate multiple threat clusters at any given time.

2. Usage by APT Groups

Chinese cyber-espionage actors, among others, use ORBs to mask their activities. These networks are made up of five layers:

  • Chinese servers used to manage the nodes in the network.
  • VPSes (based in China or Hong Kong) from which attackers authenticate to the network and distribute traffic.
  • Traversal nodes, which constitute the bulk of the nodes in the network.
  • Exit nodes, bridging the ORB and victim environments.
  • A victim server.

ORBs can be provisioned (using commercially rented VPSs) or nonprovisioned (built on compromised and end-of-life routers and IoT devices). They can also be hybrids of the two. The sheer size and scope of these networks, often hundreds of thousands of nodes deep, provide significant cover, making it challenging for defenders to attribute and learn more about attackers.

3. Tactics, Techniques, and Procedures (TTPs)

The TTPs associated with orb networks include:

  • Infrastructure-as-a-Service: ORBs are professionalized infrastructures that multiple APT actors can use simultaneously.
  • Dynamic IP Usage: ORB nodes are short-lived, with new devices cycled in and out every few months, preventing defenders from tying IPs to their users for extended periods.
  • Geographic Spread: ORBs' geographic distribution reduces exposure to any one nation's infrastructure and allows attackers to appear less suspicious by connecting to targets from within their own region.
  • Behavioral Patterns: Defenders are encouraged to look for patterns in infrastructure, such as the types of routers compromised, ports and services used, and patterns in SSL or SSH certificates.

4. Indicators of Compromise (IoCs)

Due to the dynamic nature of ORBs, static IoCs like IP addresses are less effective. Instead, defenders should focus on behavior-based signatures and patterns of activity. Some specific IoCs identified include:

  • IP Addresses: While not static, certain IP ranges associated with VPS providers in China and Hong Kong can be monitored.
  • Compromised Devices: Identifying and monitoring compromised routers and IoT devices used as traversal and exit nodes.
  • SSL/SSH Certificates: Patterns in certificates used by ORB nodes can provide clues to their activity.

5. Mitigations

Mitigations against attacks leveraging orb networks include:

  • Behavioral Analysis: Developing behavior-based signatures to detect patterns of activity associated with ORBs.
  • Network Segmentation: Implementing network segmentation to limit the spread of attacks within an organization.
  • Regular Monitoring: Continuously monitoring network traffic for signs of ORB activity, such as unusual patterns in router and IoT device behavior.
  • Threat Intelligence Sharing: Collaborating with other organizations and threat intelligence providers to share information on ORB activity and associated IoCs.

References and Citations

  1. DarkReading. (2024). Chinese 'ORB' Networks Conceal APTs, Render Static IoCs Irrelevant. Retrieved from hxxps://www.darkreading[.]com/cybersecurity-operations/chinese-orb-networks-conceal-apts-make-tracking-iocs-irrelevant
  2. Google Cloud Blog. (2024). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks. Retrieved from hxxps://cloud.google[.]com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
  3. Infosecurity Magazine. (2024). Chinese Hackers Rely on Covert Proxy Networks to Evade Detection. Retrieved from hxxps://www.infosecurity-magazine[.]com/news/chinese-apt-orb-networks/
  4. Mandiant. (2024). The ORB Networks. Retrieved from hxxps://www.mandiant[.]com/resources/podcasts/the-orb-networks
  5. Cybersecurity News. (2024). Chinese Hackers Using ORB Proxy Networks for Stealthy Attacks. Retrieved from hxxps://cybersecuritynews[.]com/chinese-orb-network-attacks/
  6. ComputerWeekly. (2024). ORBs: Hacking groups' new favourite way of keeping their attacks hidden. Retrieved from hxxps://www.computerweekly[.]com/news/366585945/ORBs-Hacking-groups-new-favourite-way-of-keeping-their-attacks-hidden
  7. BankInfoSecurity. (2024). Chinese Cyberespionage Groups Tied to ORB Network Attacks. Retrieved from hxxps://www.bankinfosecurity[.]com/chinese-cyber-espionage-groups-tied-to-orb-network-attacks-a-25292
  8. Rewterz. (2024). Massive ORB Proxy Networks Used by State Threat Actors to Evade Detection. Retrieved from hxxps://www.rewterz[.]com/threat-advisory/massive-orb-proxy-networks-used-by-state-threat-actors-to-evade-detection
  9. Cybersecurity-Help.cz. (2024). Chinese APTs increasingly using ORB networks to mask attack infrastructure. Retrieved from hxxps://www.cybersecurity-help[.]cz/blog/4022.html
  10. TechRadar. (2024). Global botnets are being abused by hackers and they can even hide all the evidence using ORB networks. Retrieved from hxxps://www.techradar[.]com/pro/global-botnets-are-being-abused-by-hackers-and-they-can-even-hide-all-the-evidence-using-orb-networks

The findings from this research provide a comprehensive understanding of orb networks and their use by APT groups, particularly Chinese cyber-espionage actors. By focusing on behavior-based detection and continuous monitoring, defenders can better protect their networks against these sophisticated threats.

Get questions like this? Does it take a chunks out of your day? Would you rather be working on more interesting intelligence tasks? Would you like help with the research?

This baseline report was thoughtfully researched and took 5 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst. We just did the grunt work..

Join the the waiting list

Did this help you? Forward it to a friend!

(c) 2024 CSIRT Gadgets, LLC
License - CC BY-SA 4.0