Cyber-espionage groups are using operational relay box networks (ORBs), also known as proxy networks, to increase the difficulty of identifying the source of their attacks. Chinese-backed espionage operations, in particular, are leveraging ORBs to cover their tracks. These networks consist of virtual private servers (VPS), compromised Internet of Things (IoT) devices, and insecure routers, making it harder for defenders to trace attacks. ORB networks constantly reconfigure and change, with their entrance and exit disappearing every 60 to 90 days. This complexity allows attackers to launch attacks without being easily detected and attributed to a specific group. Mandiant, a cyber security company, recommends that enterprise security teams shift their focus and treat ORB networks as ever-evolving entities similar to advanced persistent threat (APT) groups. The prevalence of ORBs used by China-backed cyber espionage actors has increased in recent years. These infrastructure networks are shared among multiple APT actors and are not under the control of a single hacking group. The nature of these networks requires security teams to track them as individual entities rather than simply blocking infrastructure associated with attackers. This shift in perspective is crucial to effectively combat the challenges posed by ORB networks.
The Rise of ORBs: How Hacking Groups Conceal Their Attacks
