Full Report
The number of devices infected by LapDogs is smaller than other ORBs, but that is likely by design, according to SecurityScorecard researchers. The post Stealth China-linked ORB network gaining footholds in US, East Asia appeared first on CyberScoop.
Analysis Summary
# Threat Actor: China-linked Threat Group (Utilizing 'LapDogs' ORB Network)
## Attribution & Identity
The threat actor is described as a China-linked threat group. The specific APT designation is not provided, but the activity is associated with the broader China-Nexus APT landscape, utilizing Operational Relay Box (ORB) networks for espionage.
## Activity Summary
Researchers at SecurityScorecard discovered an operational relay box (ORB) network dubbed "LapDogs," controlled by this China-linked actor.
* **Scale and Growth:** The network exceeds 1,000 devices and is continuously expanding, with campaigns becoming more frequent and yielding higher numbers of infected devices.
* **Timeline:** Earliest detected nodes date back to September 2023.
* **Operation Style:** The operation appears highly targeted, infecting no more than 60 devices at a time across 162 distinct intrusion sets.
* **Post-Infection Activity:** The exact post-infection activity remains unclear, as ORBs often serve as shared infrastructure, complicating motivation assessment.
## Tactics, Techniques & Procedures
The actor utilizes an ORB network, which offers greater stealth capabilities for espionage compared to traditional botnets.
- Establishing an evolving mesh network for concealing operations.
- Using infected devices for reconnaissance.
- Performing anonymized browsing.
- Collecting network traffic data via port and vulnerability scanning.
- Node reconfiguration.
- Relaying stolen data upstream.
- Cycling through network infrastructure monthly to eliminate Indicators of Compromise (IoCs).
- *(No specific MITRE ATT&CK IDs were mentioned in the provided text.)*
## Targeting
- **Sectors:** Not explicitly listed, but the use of ORBs and association with China-Nexus state-sponsored groups suggests **Espionage** targeting government, defense, or critical technology sectors.
- **Geography:** Primarily focused on the **United States** (over one-third of infections) and **East Asia**, specifically: **Japan, South Korea, Taiwan, and Hong Kong.**
- **Victims:** Specific organizations were not named, but the compromised devices belong to various manufacturers, including Ruckus Wireless (over half of compromises), Asus, Buffalo Technology, Cisco-Linksys, D-Link, Microsoft, Panasonic, and Synology. The devices compromised include routers, IoT devices, virtual servers, and IP cameras.
## Tools & Infrastructure
- **Malware Families Used:** The core infrastructure relies on the **LapDogs** ORB network.
- **Infrastructure (C2, domains, IPs - defang URLs):** The infrastructure is composed of compromised small/home office routers and other internet-facing devices acting as relays. No specific C2 domains or IPs were listed, as the strength of the ORB lies in the cycling and diffusion of its infrastructure.
## Implications
The LapDogs ORB network represents a sophisticated, low-effort technique favored by China-nexus actors to establish persistent, stealthy footholds for espionage operations. The use of ORBs makes attribution and tracking more difficult, as the infrastructure is constantly changing and layered. The growing frequency and yield of the campaigns suggest an increasing reliance on this method for intelligence gathering.
## Mitigations
- Monitoring for unusual device behavior, especially in SOHO routers, IP cameras, and IoT devices acting as relays.
- Understanding the risk posed by ORB networks as an emerging threat within the China-Nexus APT landscape.
- Implementing robust monitoring to detect indicators of compromise (IoCs) related to newly introduced network nodes before they cycle out.