A China-based cyber-espionage group has compromised more than 1,000 networks worldwide in a campaign dubbed ‘LapDogs,’ according to cybersecurity firm SecurityScorecard. The campaign has remained active and largely undetected since September 2023. Targeted regions include the United States, Japan, South Korea, Taiwan, and Hong Kong.
LapDogs exploits vulnerable Internet of Things (IoT) and Small Office/Home Office (SoHo) routers, many of which are legacy models from vendors like Ruckus Wireless and Buffalo Technology.
LapDogs employs a sophisticated network of Operational Relay Boxes (ORBs) to discreetly reroute malicious traffic through compromised devices.
The attackers use a custom backdoor named ‘ShortLeash’, which supports both Linux and Windows systems. It enables persistent access, stealthy lateral movement, and even generates fake TLS certificates, with some posing as signed by the Los Angeles Police Department, to mask communications and origins.
Researchers discovered Mandarin-language notes in startup scripts and found that the campaign’s tools, techniques, and regional targets strongly suggest Chinese state involvement. To date, victims include internet service providers, hardware vendors, and companies in sectors like IT, networking, real estate, and media.
SecurityScorecard identified 162 unique intrusion sets, with roughly one-third clustered by ISP or geography.
“As with other ORB Networks, it can be difficult to determine the exact threat actor operating the network, as ORB Networks can be—and historically have been—shared by more than one threat actor for separate campaigns and intrusion sets. In Cisco Talos’ report, it is assessed that UAT-5918 is a China-Nexus espionage threat actor, due to similarities in tactics and targeting to other prolific actors. This assessment is further supported by LapDogs, as we were able to find Mandarin code notes within the startup script for ShortLeash. The focus on Southeast Asian countries and the United States is circumstantial yet noteworthy evidence as well, given the heightened focus of China-Nexus APTs on these regions,” the report notes.
