Chinese cyberespionage has become a significant concern for cybersecurity experts worldwide. Researchers have identified a new tactic used by Chinese hackers that makes it even more challenging to detect and prevent cyberattacks.
This tactic involves using ORB (Operational Relay Box) networks. These networks utilize domains or IP addresses with short lifespans, making traditional methods of detecting and blocking cyber threats less effective.
What Are ORB Networks?
ORB networks host their infrastructure, such as domains or IP addresses, for a short period. This means that traditional clues and indicators used by defenders, known as “Indicators of Compromise” (IOCs), are becoming less useful. For years, IOCs have been relied upon to detect and block likely malicious behavior. However, the use of ORBs makes IOCs less reliable for detecting and blocking hacking operations.
Vast and Dynamic Networks
Michael Raggi, a principal analyst at Mandiant, explains that defenders used to block one known bad IP address targeting their network. However, now they face the challenge of ORB networks consisting of hundreds of thousands of IPs, which cycle out every 60 to 90 days. This tactic represents a particularly difficult threat to defend against, as it involves maintaining a vast array of compromised routers.
Tracking ORB Networks
Researchers suggest that ORBs themselves should be tracked as distinct threats. Instead of reacting to each IP as an indicator of compromise, defenders should look at the patterns of infrastructure that hackers are registering. By understanding the types of routers being compromised and the ports and services they use, defenders can create behavior-based rules to detect malicious activities.
This approach requires a shift from relying solely on IOCs to focusing on the behavior of the network. By tracking the activities and infrastructure patterns of ORB networks, defenders can develop profiles of malicious activities. This proactive method can help in identifying and mitigating threats more effectively.
Challenges in Detecting Chinese Cyberespionage
You may like to read about Cyber Espionage
China’s Changing Tactics in Cyber Espionage: A Focus on Zero Day Exploit
Concealing Campaigns
Chinese-linked cyber espionage operations are becoming increasingly difficult to track. Beijing’s hackers are shifting towards using networks of virtual private servers and compromised smart devices to conceal their campaigns. These networks, similar to botnets, complicate the task of defending against cyber threats.
Non-Governmental Operation
The obfuscation networks, known as ORBs, are not directly operated by government-controlled hacking units. Instead, they are managed by contractors or other administrators within China. These networks are frequently used by multiple Chinese government-linked hacking campaigns for espionage or reconnaissance efforts.
Global Tactics
Here is the Comparison with Other State Actors.
The approach used by Chinese hackers is similar to tactics employed by many state-aligned actors worldwide. These actors compromise small and home office routers to route traffic through less secure devices, helping to obfuscate the traffic’s origin. For instance, the U.S. Department of Justice disrupted a network of such routers being used by Russian military intelligence.
ORB networks are composed of nodes, which are individual physical or virtual devices, typically routers or leased virtual private servers. These networks have key relay nodes at major cloud providers based in China or Hong Kong. The distribution of these nodes across the world reduces exposure and limits any one country’s ability to shut them down.
Case Study: Spacehop
One example of an ORB network tracked by Mandiant is “Spacehop.” This network is used by multiple Chinese-linked hacking campaigns and maintains a significant number of nodes in Europe, the Middle East, and the United States. This widespread presence makes it challenging to track and shut down the network.
You may like to Read about Why UK Spy Chief was Furious About Chinese Cyber Espionage
Chinese cyberespionage tactics are evolving, making it increasingly difficult to detect and prevent cyberattacks. The use of ORB networks, which involve short-lived infrastructure and vast, dynamic networks, requires a shift in how defenders approach cybersecurity. By focusing on behavioral analysis and proactive tracking of these networks, defenders can better protect against these sophisticated threats. As cyber threats continue to evolve, so must the strategies and tools used to combat them.
