China-backed espionage operations are increasingly utilizing ORB networks [5], such as the SPACEHOP network, to conceal their activities [1] [2] [5].


Mandiant Intelligence has observed a rise in China-backed espionage operations utilizing ORB networks [5], such as the SPACEHOP network (also known as ORB3), to conceal their activities [1] [2] [5]. These networks [1] [2] [3] [5] [6], composed of compromised devices like VPS, IoT devices [3] [4] [5] [6] [7], and routers without security updates [3], make it challenging for defenders to track attacks and complicate attribution. ORB networks constantly reconfigure [5], blending malicious traffic with legitimate traffic to avoid detection [5]. Mandiant categorizes ORB networks into provisioned and non-provisioned types [4], with administrators relying on ASN providers to minimize exposure. Chinese threat actors leverage ORBs to mask traffic between command and control infrastructure and victim environments [4], making it difficult for defenders to trace and defend against cyber attacks. ORBs are typically hosted in China-affiliated IP space [4], with nodes dispersed globally [2] [4]. The increased use of ORBs by Chinese threat actors presents challenges for defenders [4], as indicators of compromise become less effective and attribution based on network infrastructure becomes unfeasible [4]. Mandiant recommends treating ORB networks as evolving entities rather than as indicators of compromise to effectively defend against this growing threat. ORB networks are designed to increase the difficulty of defending against espionage operations and shift the advantage towards operators by avoiding detection [6]. The structure of an ORB network includes adversary-controlled operations servers [6], relay nodes [1] [4] [6], traversal nodes [1] [6], exit/staging nodes [1] [6], and victim servers [1] [6]. ORB networks challenge the concept of “Actor-Controlled Infrastructure” as they are managed by independent entities within China and are utilized by multiple APT actors for espionage and reconnaissance [6]. A notable example of a provisioned ORB network is ORB3/SPACEHOP [6], which has facilitated network reconnaissance scanning and vulnerability exploitation by China-nexus threat actors [6], including APT5 and APT15 [6]. Mandiant emphasizes the need for organizations to analyze ORBs as dynamic entities and develop behavior-based signatures to effectively monitor them. By cycling their internet traffic through devices located geographically nearby to the target organization [7], threat actors can blend in with legitimate traffic [3] [7], making it difficult for defenders to identify potential breaches [7]. The owners of compromised devices are often unaware that they are contributing to the ORB network [7], with some devices only active for as few as 31 days [3] [7]. This technique challenges defenders by removing typical indicators of compromise and making attribution more difficult [7]. China-linked state-backed hackers have been found using ORBs created from virtual private servers and compromised online devices for cyberespionage operations [8]. These proxy meshes are administered by independent cybercriminals and provide access to multiple state-sponsored actors [8]. ORBs have been used in attacks on US critical infrastructure organizations [8], with contractors in China cycling compromised infrastructure on a monthly basis [8]. The use of Autonomous System Number providers worldwide allows ORB administrators to hide malicious traffic [8]. Chinese hackers have been found on military and government networks for extended periods [8], with recent attacks lasting up to 6 years [8].


The use of ORB networks by Chinese threat actors poses significant challenges for defenders, as traditional indicators of compromise become less effective and attribution becomes more difficult. Organizations must treat ORB networks as evolving entities and develop behavior-based signatures to effectively monitor and defend against this growing threat. The impact of ORB networks on cybersecurity is significant, as they enable threat actors to avoid detection and shift the advantage in their favor. Mitigating the risks associated with ORB networks requires a proactive approach to monitoring and analyzing network traffic, as well as collaboration with ASN providers to minimize exposure. The future implications of ORB networks in espionage operations are concerning, as they continue to evolve and adapt to evade detection, making it increasingly difficult for defenders to protect against cyber attacks.