China’s ORB Network Expands Cyber Espionage to US & Asia
▼ Summary
– China-linked actors are using a botnet called “LapDogs,” comprising 1000+ compromised SOHO devices, to conduct cyber-espionage in the US and Asia.
– The campaign employs a custom backdoor, “ShortLeash,” which uses spoofed TLS certificates mimicking the LAPD to evade detection.
– Targets include sectors like real estate, IT, and media, primarily in the US, Japan, South Korea, Hong Kong, and Taiwan.
– Forensic evidence, such as Mandarin developer notes and TTPs, points to China-nexus APTs, with 162 distinct intrusion sets identified.
– ORB networks, used by groups like Volt Typhoon, are a growing tactic for Chinese actors to hide C2 communications and complicate attribution.
China-linked cyber espionage operations are leveraging a sophisticated network of compromised devices to target organizations across the United States and Asia, according to new findings from cybersecurity researchers. SecurityScorecard has uncovered a sprawling botnet dubbed “LapDogs,” consisting of over 1,000 infected small office and home office (SOHO) routers and IoT devices. These devices, combined with virtual private servers (VPS), form what’s known as an Operational Relay Box (ORB) network, a tactic designed to mask malicious activity and provide plausible deniability for attackers.
The campaign employs a custom backdoor called “ShortLeash,” which ensures long-term access to compromised systems while disguising communications with spoofed TLS certificates falsely attributed to the Los Angeles Police Department. This deceptive technique complicates forensic investigations, making attribution more challenging. Since its emergence in September 2023, the operation has methodically expanded, primarily focusing on victims in real estate, IT, networking, and media sectors across the U.S., Japan, South Korea, Hong Kong, and Taiwan.
SecurityScorecard identified 162 distinct intrusion sets, revealing the campaign’s meticulous planning and execution. Forensic evidence, including Mandarin-language developer notes within scripts and consistent tactics, techniques, and procedures (TTPs), strongly suggests the involvement of China-linked Advanced Persistent Threat (APT) groups. The research also highlights how attackers use certificate issuance dates and port assignments to tailor operations geographically.
ORB networks have become a favored tool among Chinese cyber operatives, with groups like Volt Typhoon and Weaver Ant previously using similar infrastructure to evade detection. Earlier this year, Check Point exposed an ORB network targeting global manufacturing suppliers, while Sygnia uncovered another linked to telecommunications providers.
SecurityScorecard also noted a related ORB network, “PolarEdge,” which shares some infrastructure with LapDogs but differs in TTPs and certificate management. According to Ryan Sherstobitoff, chief threat intelligence officer at SecurityScorecard, this campaign represents a strategic shift in cyber espionage, moving away from opportunistic attacks toward deliberate, long-term operations that exploit low-visibility devices to bypass traditional detection methods.
The findings underscore the growing sophistication of state-sponsored cyber threats and the increasing difficulty defenders face in identifying and mitigating these stealthy intrusions. Organizations, particularly those in high-risk sectors, are urged to strengthen network monitoring and patch vulnerable devices to reduce exposure to such attacks.
(Source: INFOSECURITY)
