Full Report
Threat hunters have discovered a network of more than 1,000 compromised small office and home office (SOHO) devices that have been used to facilitate a prolonged cyber espionage infrastructure campaign for China-nexus hacking groups. The Operational Relay Box (ORB) network has been codenamed LapDogs by SecurityScorecard's STRIKE team. "The LapDogs network has a high concentration of victims
Analysis Summary
# Threat Actor: LapDogs (Operational Relay Box Network)
## Attribution & Identity
- **Attribution:** China-linked hacking groups.
- **Known Aliases/Associations:** Mentioned with potential suggestive similarity to the threat actor **UAT-5918** (medium confidence association noted in the source text).
## Activity Summary
- **Campaign Name:** LapDogs (Operational Relay Box, or ORB network).
- **Scope:** Compromised over 1,000 Small Office/Home Office (SOHO) devices globally to facilitate a prolonged cyber espionage infrastructure.
- **Timeline:** First signs of activity detected as early as September 6, 2023 (in Taiwan), with the second recorded attack on January 19, 2024. The campaign is run in organized batches, infecting no more than 60 devices per batch, with 162 distinct intrusion sets identified.
- **Note on Differentiation:** Assessed as separate from the **PolarEdge** cluster, despite some shared characteristics (like exploiting IoT flaws), due to differences in infection process, persistence methods, and targeting scope (LapDogs also targets VPSs and Windows systems).
## Tactics, Techniques & Procedures
- **Initial Access:** Weaponization of N-day security vulnerabilities, specifically mentioning **CVE-2015-1548** and **CVE-2017-17663**.
- **Execution/Persistence:** Delivery via a shell script primarily targeting Linux-based SOHO devices. Deploys a custom backdoor called **ShortLeash**.
- **Defense Evasion/Impersonation:** ShortLeash sets up a fake Nginx web server and generates a unique, self-signed TLS certificate with the issuer name "LAPD" (impersonating the Los Angeles Police Department) to name the ORB network.
- **Persistence Method:** ShortLeash service persists by inserting itself into the system directory as a `.service` file, ensuring survival upon reboot with root-level privileges.
## Targeting
- **Sectors:** IT, networking, real estate, and media sectors.
- **Geography:** High concentration in the **United States** and **Southeast Asia**, with prevalence also reported in **Japan, South Korea, Hong Kong, and Taiwan**.
- **Victims (Device Types):** SOHO devices and services from Ruckus Wireless, ASUS, Buffalo Technology, Cisco-Linksys, Cross DVR, D-Link, Microsoft, Panasonic, and Synology. Also targets Virtual Private Servers (VPSs).
## Tools & Infrastructure
- **Malware Families:** Custom backdoor named **ShortLeash**.
- **Infrastructure:** Operational Relay Box (ORB) network setup.
- **C2/Artifacts:** Fake Nginx web server, uses self-signed TLS certificates issued by "LAPD."
## Implications
This campaign establishes a large, persistent, and difficult-to-detect proxy network (ORB infrastructure) potentially used for future espionage activities by China-linked actors. The use of publicly known vulnerabilities but targeting overlooked SOHO devices demonstrates a focus on broad, low-effort initial access to establish a resilient infrastructure layer.
## Mitigations
- Patch N-day vulnerabilities exploited, specifically **CVE-2015-1548** and **CVE-2017-17663**, across all network-facing devices, especially SOHO equipment.
- Regularly audit and monitor network devices for unexpected service files (like root-level `.service` files) that establish persistence.
- Investigate for the presence of fake Nginx services or TLS certificates listing "LAPD" as the issuer certificate authority on internal or edge assets.
- Implement network segmentation to minimize the impact of compromised SOHO/IoT devices serving as C2 infrastructure.