Today's Core Dump is brought to you by ThreatPerspective

Threat Intelligence

IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders

Ephemerality: How long is this infrastructure part of the ORB network being defended against and are changing characteristics of infrastructure indicative of new tactics?
Mandiant asserts that the best way to rise to the challenge posed by ORB networks is to stop tracking espionage C2 infrastructure as an inert indicator of compromise and start tracking it as an entity with distinct TTPs. We no longer operate in the world of “block and move on” where IPs are part of APT’s weaponization and C2 kill chain phase. Instead, infrastructure is a living artifact of an ORB network that is a distinct and evolving entity where the characteristics of IP infrastructure itself, including ports, services, and registration/hosting data, can be tracked as evolving behavior by the adversary administrator responsible for that ORB network.

By shifting awareness and our enterprise defender paradigm toward treating ORB networks like APTs instead of IOCs, defenders can begin to turn their dilemma into a defender’s advantage.


Use of ORB networks to proxy traffic in a compromised network is not a new tactic, nor is it unique to China-nexus cyber espionage actors. However, its ubiquity that has evolved over the past four years now requires defenders to meet this challenge head on to keep pace with adversaries in the cyber espionage landscape. We have tracked China-nexus cyber espionage using these tactics as part of a broader evolution toward more purposeful, stealthy, and effective operations. In addition to wanting to be stealthy, actors want to increase the cost and analytical burden on defenders of enterprise environments. The rise of the ORB network industry in China points to long-term investments in equipping China-nexus cyber operators with more sophisticated tactics and tools that facilitate enterprise exploitation to achieve higher success rates in gaining and maintaining access to high-value networks. Whether defenders will rise to this challenge depends on enterprises applying the same deep tactical focus to tracking ORB networks as has been done for APTs over the last 15 years. Mandiant is equipped to provide enterprise defenders with the capability to meet this challenge and scale to overcome it.

Published: 2024-05-22T14:00:00

© Segmentation Fault . All rights reserved.

Privacy | Terms of Use | Contact Us