China-linked threat actors are leveraging Operational Relay Box (ORB) networks to mask their attack infrastructure, according to a new report from Google’s cybersecurity subsidiary Mandiant.

The company reports that it is actively monitoring several ORB networks, with the most notable being SPACEHOP and FLORAHOX, used by groups like APT5 and APT31, respectively.

“ORB networks are akin to botnets and are made up of virtual private servers (VPS), as well as compromised Internet of Things (IoT) devices, smart devices, and routers that are often end of life or unsupported by their manufacturers. Building networks of compromised devices allows ORB network administrators to easily grow the size of their ORB network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations,” the company explains in its report.

One of the largest and most active ORB networks, tracked by Mandiant as ORB3 or SPACEHOP, is leveraged by multiple China-nexus threat actors.

The high volume of APT-related traffic passing through globally distributed nodes indicates the network’s extensive use for targeting diverse geographic regions, notably Europe, the Middle East, and the United States. These areas are known targets of APT15 and UNC2630 (a cluster of activities suspected to be linked to APT5).

UNC2630 has been operational since at least 2019 and used a known SPACEHOP node to exploit a Citrix Netscaler vulnerability (CVE-2022-27518) in December 2022. The National Security Agency (NSA) previously linked the exploitation of this vulnerability to APT5.

SPACEHOP’s infrastructure uses relay servers hosted in Hong Kong or China and installs a command-and-control (C2) framework available on GitHub to manage downstream relay nodes. These nodes, often cloned Linux-based images, proxy malicious network traffic through the network to an exit node that communicates with targeted victim environments.

FLORAHOX, another sophisticated ORB network, consists of ACOS nodes, compromised network routers, IoT devices, and leased VPS servers. The network is used to proxy traffic from a source and relay it through a TOR network and several compromised router nodes to obfuscate the source of the traffic. It is believed to be used in cyber espionage campaigns by various China-nexus threat actors, including APT31 and Zirconium.

FLORAHOX comprises several subnetworks formed by devices compromised through the router implant FLOWERWATER and other router-based payloads. An additional tool identified in January 2023, a MIPS router payload (PETALTOWER) and related controller Bash scripts (SHIMMERPICK), provides configurations for traversing the network. These tools provide a configuration for the traversal of the network and traversing the network of pre-existing FLORAHOX nodes based on command-line inputs.

“ORB2 represents a more complicated design including the relay of traffic through TOR nodes, provisioned VPS servers, and different types of compromised routers including CISCO, ASUS, and Draytek end-of-life devices,” Mandiant said. “The network embodies years of continual augmentation and several generations of distinct router-based payloads used simultaneously to recruit vulnerable devices into the FLORAHOX traversal node pool.”