China’s Espionage Tactics: ORB Networks and the Rise of Proxy Armies

Chinese hackers have increasingly leveraged an extensive network of proxies composed of VPS servers and compromised online devices to conduct espionage.

These proxy networks consist of Operational Relay Boxes (ORBs), administered by independent cybercriminals who grant access to government hackers. ORBs resemble botnets but can be a hybrid of rented VPS and compromised IoT devices.

The ORB3/SPACEHOP Network

Mandiant tracks several ORB networks, two of which are actively utilized by Chinese APT groups. One such network, named ORB3/SPACEHOP, is actively employed by APT5 and APT15 groups for reconnaissance and exploiting vulnerabilities.

SPACEHOP was used in December 2022 to exploit the CVE-2022-27518 vulnerability in Citrix ADC and Gateway, which the NSA linked to APT5. Mandiant specialists assert that SPACEHOP uses a relay server located in Hong Kong or China and establishes an open C2 infrastructure for node management.

The ORB2/FLORAHOX Network

The ORB2/FLORAHOX network is a hybrid network consisting of a C2 server, compromised connected devices (routers and IoT), and VPS that route traffic through TOR and several compromised routers. Researchers believe this network is used in espionage campaigns by various Chinese groups to disguise the origin of their traffic.

The network comprises multiple subnets, including devices compromised using FLOWERWATER and other router-based payloads. Despite ORB2/FLORAHOX being used by various threat groups, Mandiant reports clusters of activity attributed to Chinese APT31/Zirconium, focused on intellectual property theft.

Challenges in Enterprise Defense

The use of ORBs creates significant challenges for enterprises, as they provide concealment, resilience, and independence from the country’s internet infrastructure. These networks are actively used by various groups for limited periods, complicating tracking and attribution.

According to Mandiant, the lifespan of an ORB node IP address can be as short as 31 days, allowing attackers to refresh substantial portions of their compromised or rented infrastructure monthly.

Traffic analysis from ORB networks is complicated by administrators using ASN providers from different parts of the world. This makes the networks more robust and allows attackers to target enterprises from devices in geographic proximity, raising fewer suspicions during traffic analysis.

With the increased use of ORBs by hackers, defending corporate environments has become increasingly challenging. Detecting such networks is more difficult, attribution is more problematic, and adversary infrastructure indicators are less useful for defenders. In the face of growing cyber-espionage threats, enterprises must develop new defense strategies and adapt to evolving attack methods.