Chinese Hackers Rely on Covert Proxy Networks to Evade Detection

Chinese-backed threat actors, including groups like Volt Typhoon, are increasingly using proxy networks known as operational relay boxes for cyber espionage, according to a Mandiant report published on May 22. ORBs, similar to botnets, are mesh networks comprising compromised devices like virtual private servers, Internet of Things devices, smart devices, and routers. These devices act as global proxies, forming nodes in the ORB network, which essentially turn them into secret outposts for intelligence services or cyber espionage groups.

Mandiant classifies ORB networks into two types: provisioned networks and non-provisioned networks. Provisioned networks are made up of commercially leased VPS space managed by ORB administrators, such as ORB3 or SPACEHOP, which are controlled by Chinese intelligence services. Non-provisioned networks consist of compromised and end-of-life routers and IoT devices, such as ORB1 or ORBWEAVER and ORB3 or FLORAHOX. Additionally, hybrid networks combine both leased VPS devices and compromised devices. ORB administrators utilize autonomous system number providers across different regions to minimize exposure and reduce reliance on any single nation’s internet infrastructure. An ASN identifies a unique network or group of networks on the internet that share a common routing policy and are managed by a single administrative entity.

Security Officer Comments:
ORBs facilitate cyber espionage by obfuscating traffic between C2 infrastructure and victim environments, often exploiting zero-day vulnerabilities in vulnerable edge devices. Mandiant noted that the ACOS servers and relay nodes are most commonly hosted in China-affiliated and Hong Kong-based IP spaces, while the rest of the nodes are distributed globally. The widespread use of ORBs by Chinese threat actors complicates network defense by rendering traditional indicators of compromise ineffective, as threat actors frequently change network infrastructure. This tactic makes the origin of the traffic appear typical and benign, complicating attribution because multiple actors share the same infrastructure provided by individual contractors and others. Mandiant concludes that the rise of ORB usage by Chinese threat actors signifies significant investment in advanced tactics and tools for enterprise exploitation, aiming to raise the cost of defending a network and shift the advantage toward espionage operators.

Suggested Corrections:
Mandiant suggests that defenders shift their approach from focusing on adversary infrastructure as IOCs to tracking ORBs as evolving entities akin to advanced persistent threat groups. This strategy would help enterprises better manage the threat posed by ORB networks. The high volume of APT-related traffic through globally distributed nodes indicates that these networks target a wide array of geographic regions, including the US, Europe, and the Middle East. An example of this is ORB3 or SPACEHOP, an active network used by multiple China-nexus threat actors.