Threat actors are constantly evolving their techniques to go undetected when infiltrating organizations, and new research reveals how persistent groups like Volt Typhoon are evading detection.
Mandiant has seen increased use of operational relay box (ORB) networks to hide indicators of compromise (IoC). These ORBs are essentially a botnet made up of IoT devices, virtual private servers, smart devices, and older routers that no longer receive security updates.
This complex network of devices helps conceal activity from threat actors, and Mandiant assesses with moderate confidence that this technique is being used to push back defenders by obscuring their activity and complicating attribution.
Threat actors turn to global ORBs
To break it down into simpler terms, an ORB is a collection of devices around the world managed and administered by independent entities and individuals within the People's Republic of China. The ORB network is used by many different APT groups to hide their activity.
John Hultquist, Mandiant principal analyst on Google Cloud, summarized the use of ORB, stating that “Chinese cyber espionage was once loud and easily traceable. “This is a new type of adversary.”
By circulating their Internet traffic through devices located geographically close to the target organization, threat actors can blend in with traffic that might otherwise appear legitimate. This technique is particularly effective against enterprise-level organizations with constantly changing infrastructure.
Most of the time, owners of compromised devices are unaware that they are contributing to the ORB, and some IPv4 addresses are only active as a node on the network for as little as 31 days.
By using ORB networks, threat actors are eliminating the typical IoCs that defenders rely on to identify a potential breach or intrusion. Typically, a defender could be alerted about traffic that is outside the geographic boundaries of their network, or could attribute an attack to a particular actor by analyzing the network infrastructure used to launch the attack.
“ORB networks are one of the main innovations in Chinese cyber espionage that challenges defenders. “They are like a maze that continually reconfigures itself and the entrance and exit disappear from the maze every 60 to 90 days,” said Michael Raggi, principal analyst at Mandiant on Google Cloud.
“To attack someone, these actors can come from a home router down the street. It is not uncommon for a completely unwitting person's home router to become involved in an act of espionage,” she concluded.
