BleepingComputer reports that more Chinese state-sponsored threat actors have been using massive operational relay box networks, or proxy networks of botnets, to facilitate cyberespionage efforts.
Included in the ORBs leveraged by Chinese hacking operations is ORB3/SPACEHOP that was used to enable attacks exploiting the critical Citrix NetScaler ADC and Gateway flaw, tracked as CVE-2022-27518, which has been associated with the APT5 group, also known as UNC2630, Mulberry Typhoon, and Keyhole Panda, according to a Mandiant report.
ORB3/SPACEHOP was noted to include cloned Linux-based images as relay nodes aimed at proxying traffic to a target-communicating node, while the ORB2/FLORAHOX network uses hacked routers and IoT devices, in addition to an Adversary Controlled Operations Server and virtual private server, primarily to conceal Chinese hacking activities, said researchers.
Such use of an ORB network, as observed in intrusions by Volt Typhoon against U.S. critical infrastructure entities, adds to the ever-increasing challenges in enterprise defense, researchers added.