Chinese-linked hacking units increasingly use ‘ORBs’ to obfuscate espionage, researchers say

Successfully tracking Chinese-linked cyber espionage operations is becoming increasingly difficult as Beijing’s hackers shift toward networks of virtual private servers and compromised smart devices to conceal their campaigns, researchers with Google Cloud’s Mandiant said Wednesday. 

Although not necessarily a new tactic, the growing use of such networks, akin to botnets, makes life harder for those tasked with defending networks amid frequent warnings from Western governments about aggressive Chinese espionage and pre-positioning within U.S. critical infrastructure networks as part of activity tracked as Volt Typhoon. 

The tactic also represents the latest way in which Chinese hacking operations are growing increasingly difficult to detect. 

The obfuscation networks — known as “operational relay box networks,” or ORBs — are not operated directly by government-controlled hacking units, the researchers said. Instead, they’re administered by contractors or other administrators within China and are frequently used by multiple Chinese government-linked hacking campaigns as part of espionage or reconnaissance efforts.

The approach dovetails with tactics used by many state-aligned actors — not just those from China — who compromise small and home office routers to route traffic through devices that are less likely to be secured and also can help obfuscate the traffic’s origin. In January, for instance, the U.S. Department of Justice disrupted a network of hundreds of such routers being used by Russian military intelligence “to conceal and otherwise enable a variety of crimes,” the agency said at the time.

ORB networks are composed of “nodes,” or individual physical or virtual devices, that are typically routers or leased virtual private servers, or both, the researchers said, with key relay nodes at a major Chinese or Hong Kong-based cloud provider. They’re distributed across the world in a way that reduces exposure and limits any one country’s ability to shut them down. 

An example ORB tracked by Mandiant as “Spacehop,” which the researchers said is used by multiple Chinese-linked hacking campaigns, “maintains a robust volume of nodes in Europe, the Middle East, and the United States,” per the report.  

ORB network-hosted infrastructure, such as domains or IP addresses, have a short lifespan, meaning that traditional clues and indicators used by defenders to spot and remedy adversarial operations are increasingly less relevant, the researchers said. The indicators, known in the threat intelligence industry as “Indicators of Compromise,” or IOCs, have for years been relied upon to detect and block likely malign behavior, but the use of ORBs make IOCs a less reliable tool for detecting and blocking hacking operations.  

Michael Raggi, principal analyst at Mandiant, said it used to be that a defender could block one known bad IP address targeting their network. “Now you’re protected against that one IP, but what if you also knew that this ORB network consisted of somewhere between 200,000- 300,000 IPs, and they cycle out those IP addresses between 60 and 90 days?” Raggi said in an email. 

The use of such tactics by state-backed hacking groups represents a particularly difficult threat to defend against. “You’re dealing with a dedicated entity whose sole job it is to maintain a vast array of different types of compromised routers, just for the purpose of renting those out so that someone can try and access your environment with them,” Raggi said. 

The ORBs themselves should be tracked as their own distinct threats, the researchers said. 

“Rather than waiting to be reactive, or responsive to block each IP as an indicator of compromise, you should be trying to look at the patterns of infrastructure that they’re registering,  what types of routers they are compromising, what ports and services do we know that they’re coming from,” Raggi said. “This way you have a profile of activity to look for — something to create behavior-based rules with now, rather than just rely on indicators of compromise that you’re blocking in one-off.”