Researchers have discovered yet another network of operational relay boxes (ORBs) controlled by suspected Chinese nation-state actors for cyber-espionage purposes.
According to SecurityScorecard’s STRIKE research team, the ORB network, nicknamed “LapDogs,” has infected more than 1,000 nodes with a custom backdoor against “highly localized targets” in the US as well as Japan, South Korea, Hong Kong, and Taiwan. The researchers attributed the network to China-nexus actors with moderate confidence and noted similarities between LapDogs and other Chinese state-sponsored ORB networks.
ORB networks have become a hallmark of increased threat activity from the People’s Republic of China (PRC). Various cybersecurity vendors have detailed how espionage actors in recent years have built botnet-like networks, featuring routers, Internet of Things (IoT) devices and virtual private servers, not to launch direct attacks but to provide infrastructure that disguises malicious operations as legitimate traffic.
SecurityScorecard called ORB networks an emerging threat because they act as a “Swiss Army knife” that attackers can use to covertly conduct reconnaissance, vulnerability scanning, anonymized browsing, and command-and-control (C2) operations for larger attacks.
“The rise of ORB Networks as a main TTP for China-nexus APTs poses a significant challenge to traditional security best-practices by eroding the importance of Indicators of Compromise (IOC) tracking, due to the sheer number of nodes and the rapid pace at which they change,” the report said.
LapDogs’ Cyberattack Bite
STRIKE researchers recently identified LapDogs, which infects Linux-based small office/home office (SOHO), but found the ORB network has been active since at least September 2023. The research team also noted that LapDogs has steadily grown in size over the past two years.
According to the report, the campaign has affected ISPs, hardware vendors, and “specific organizations” in the IT, networking, real estate, and media sectors. For example, STRIKE researchers said LapDogs compromised devices at a UK-based media company as well as a municipal services office, a real estate company, and IT and network solutions companies in Japan.
SecurityScorecard warned that infected nodes could point to serious threats to the owning organizations beyond having compromised devices used for malicious cyber activity.
“Every node in the LapDogs ORB can be used by a threat actor to further access the internal network the node is connected to, therefore each owner of a compromised device might be further victimised and should take preventative measures,” the research team said.
More than half of the infected devices are Ruckus Wireless access points, while products from a number of other vendors’ were also impacted, including ASUS, Buffalo Technology, Cisco Linksys, D-Link, Microsoft, Panasonic, and Synology.
The report also highlighted that ORB networks are often used by multiple threat actors for separate campaigns. In the case of LapDogs, Security Scorecard said the network has been used at least once by a threat group tracked as UAT-5918 in cyber-espionage operations against Taiwan. However, STRIKE researchers said they could not determine whether UAT-5918 was the operator of LapDogs or just a client of the ORB network.
TLS Certificate Abuse
SecurityScorecard noted several aspects of LapDogs that distinguished it from previous ORB network activity. First, the threat actors used a custom backdoor, dubbed “ShortLeash,” to maintain persistent access on compromised devices.
Second, the ShortLeash backdoor ShortLeash generates unique, self-signed TLS certificates with spoofed metadata for each node. The metadata presents the certificates as signed by the Los Angeles Police Department (LAPD) and suggests the threat actors are attempting to masquerade infected nodes as legitimate LAPD network devices, hence SecurityScorecard’s nickname “LapDogs.”
It’s unclear, however, if there was any specific reason for spoofing the LAPD, according to Gilad F. Maizles, security researcher at SecurityScorecard. “It could be an inside joke by the operator, something not uncommon among Chinese APTs,” he says. “While we did observe some compromised devices in the Los Angeles area, they were neither the first nor the most prominent in the network. We also found no evidence of direct targeting or compromise of the LAPD itself.”
Self-signed certificates are often seen as security risks because they are not validated by third-party certificate authorities. Many systems and software will issue alerts or warnings for the presence of self-signed certificates in a trust chain.
However, the warnings are not always acknowledged, and the best practices around self-signed certificates are not always followed — even by the vendors themselves.
“Most of the devices we encountered (such as Ruckus Wireless devices or Buffalo Tech AirStation) have a built-in Web server that is used as a configuration interface and can be browsed externally from the internet,” Maizles says. “These Web UI servers, in most cases, were using a self-signed certificate generated by the device itself as well. Any alerts or rules that target self-signed certificates will be triggered anytime a legitimate access is attempted to the Web UI server, so rules and alerts for access to these devices are most likely ignored or white-listed with regard to self-signed certificates.”
Maizles says this is partially why ORB networks and botnets typically target SOHO devices, “as they are not only ill-managed and unpatched, but also come predesigned with lower security standards that are rarely addressed by the owners.”
SecurityScorecard released indicators of compromise for LapDogs, including network fingerprints for the spoofed TLS certificates as well as C2 domains and signatures for the ShortLeash backdoor. As with botnet defenses, organizations should ensure their connected devices are updated and remove any default credentials. Network administrators should also monitor for suspicious connections and traffic flows.
