Mandiant Intelligence describes a growing trend where China-nexus actors use ORB networks—proxy networks of VPS and compromised IoT devices—to conceal espionage operations. The piece argues defenders should treat ORB networks as evolving entities rather than IOC blocks to raise the cost and complexity of defense. #SPACEHOP #FLORAHOX
Keypoints
- ORB networks are infrastructure networks (often comprising VPS, compromised routers, and IoT devices) used to relay espionage traffic and scale quickly.
- They enable disguising external traffic between C2 infrastructure and victim environments, including edge devices exploited via zero-day flaws.
- Networks often combine rented VPS nodes with router-targeting malware to grow relay capacity and traffic relays.
- The lifespan of an IPv4 ORB node can be very short (as few as 31 days) and infrastructure cycling is a differentiator among contractors.
- Attribution becomes harder when C2 traffic can originate near targets and be routed through third-party providers, complicating traditional IOC-based tracing.
- The anatomy of an ORB network includes ACOS servers, relay nodes, traversal nodes, exit/staging nodes, and the victim server.
- ORB networks are categorized as provisioned (leased VPS) or non-provisioned (compromised routers/IoT) or hybrids, used by a range of China-nexus actors.
- Defenders are urged to shift from blocking IOCs to tracking ORB networks as evolving adversaries with distinct TTPs.
MITRE Techniques
- [T1090] Proxy – Relay traffic through ORB networks to conceal C2 communications. ‘disguise external traffic between command and control (C2) infrastructure and victim environments including vulnerable edge devices that are being exploited via zero-day vulnerabilities.’
- [T1046] Network Service Discovery – Conduct network reconnaissance scanning and vulnerability exploitation. ‘to conduct network reconnaissance scanning and vulnerability exploitation conducted by China-nexus threat actors.’
- [T1583] Acquire Infrastructure – Provisioned networks comprising leased VPS devices via commercial services. ‘Leased VPS devices via commercial services.’
- [T1041] Exfiltration Over C2 Channel – Traffic egress through ORB networks that can blend in with normal traffic and be hard to detect. ‘traffic to egress from devices that have a geographic proximity to targeted enterprises, which allows traffic to blend in or otherwise not be anomalous when being reviewed by analysts.’
Indicators of Compromise
- [CVE] CVE-2022-27518 – Exploited vulnerability; linked to APT5/UNC2630 activity in late December 2022.
- [Tool] PETALTOWER – MIPS router tunneler payload; used with SHIMMERPICK to provide command-line inputs for network traversal.
- [Tool] SHIMMERPICK – Bash scripts/controllers for PETALTOWER payload configuration.
- [Tool] FLOWERWATER – Router-based payload used to recruit devices and augment the FLORAHOX network.
- [Infrastructure] SPACEHOP / ORB3 – Provisioned ORB network infrastructure used by multiple China-nexus actors (e.g., APT5, APT15).
- [Infrastructure] FLORAHOX – Non-provisioned/hybrid network comprising compromised routers/IoT devices and VPS, used by actors including APT31 and Zirconium.
Read more: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks/