Cloud and Infrastructure Security Threats: Beijing’s Stealthy Mesh Networks Detected by Mandiant

**Chinese Cyber Espionage Groups Utilize Advanced Mesh Networks to Evade Detection, Mandiant Reports**
Date: May 22, 2024
In a concerning development in the realm of cyber security, researchers from Google Cloud’s Mandiant have unveiled that various Chinese cyber espionage organizations, including Volt Typhoon (also known as Bronze Silhouette), have significantly adopted sophisticated operational relay box networks (ORBs) to conceal their cyber operations. These ORBs, often running on stolen or leased proxies or through compromised routers in homes or small offices, mark a strategic evolution in cyber espionage tactics, previously attributed to Western intelligence agencies.
The report highlights that these ORB networks, akin to botnets, facilitate the command-and-control communications between the attackers’ infrastructure and their targets. By leveraging a mix of leased virtual private servers and compromised devices, including Internet of Things (IoT) equipment, the networks present a constantly changing mesh that effectively masks espionage activities. One such network, identified as ORB3 or Spacehop by Mandiant, spans across Europe, the Middle East, and the United States, demonstrating the global reach and operational complexity of these networks.
Michael Raggi, a principal analyst at Mandiant, compares ORB networks to a perpetually reconfiguring maze, with entrances and exits vanishing every two to three months. This innovation poses significant challenges to cyber defense mechanisms, complicating the tracking and attribution of cyber attacks. The networks enable attackers to mimic legitimate geographic and network profiles, making their activities blend seamlessly with regular internet traffic and evade standard detection methods.
Mandiant’s investigation further reveals that these ORB networks are not only used for espionage but are also targeting critical infrastructure, including operational technology environments. The report underscores the sophistication of these networks, consisting of adversary-controlled operation servers, relay and traversal nodes, and exit/staging nodes, all contributing to the obfuscation of the attackers’ origins.
This shift towards more stealthy and sophisticated methods indicates a new era of Chinese cyber espionage, moving away from previously detectable activities. The ability of ORB network administrators to cycle through compromised or leased infrastructure regularly adds another layer of complexity for cybersecurity defenders.
In light of these findings, Mandiant emphasizes the need for a more nuanced approach to tracking and countering cyber threats, moving beyond traditional indicators of compromise to understand and mitigate the risks posed by these advanced ORB networks.