An Introduction to Operational Relay Box (ORB) Networks – Unpatched, Forgotten, and Obscured

Although not a new concept, Operational Relay Box (ORB) networks—often referred to as “covert,” “mesh,” or “obfuscated” networks—are becoming increasingly prevalent as threat actors continuously refine their evasion techniques. Historically associated with state-sponsored activities, ORB networks are frequently linked to threats attributed to the People’s Republic of China (PRC). One notable recent example is the identification of a vast ORB network operated by a private company with connections to the PRC government, as detailed in this joint (FVEY) advisory notice.

Researchers here at Team Cymru have observed an increase in the abundance of large-scale ORB networks used by threat actors, especially those attributed to China, and expect this trend to continue.

In the copycat world of online threats, the growing attention on ORB networks will likely lead to their adoption by other threat actors, including financially motivated cybercriminals.

An easy way to explain this is as the “love child” of a Virtual Private Network (VPN) and a botnet.

The operational relay boxes are typically either Virtual Private Server (VPS) hosts, procured by the ORB network operator, or compromised Internet of Things (IoT) devices (cheap routers with poor security standards, industrial control systems, healthcare devices, and even your refrigerator). The latter are “farmed” in a similar manner to traditional botnets, with operators actively identifying and infecting vulnerable devices. Given the plethora of forgotten or unpatched devices connected to the internet, this can often be a relatively trivial process.

In a botnet, an attacker may use the “bots” to route traffic toward a victim host, such as in a Distributed Denial of Service (DDoS) attack. This layer of “bots” grants the attacker a level of anonymity, as the victim only sees connections from the bots, not the attacker’s actual machine.

Figure 1: Simplified Botnet Diagram

When investigating botnets through an internet telemetry dataset like NetFlow, one exploitable “weakness” is that botnets rely on a central control mechanism. A common host communicates with all the bots, providing a point of interaction that can be monitored or disrupted. Of course, this isn’t ideal if you’re channeling “The Brain” from the Animaniacs television series.

This is where the “VPN” element comes into play for ORB networks. While the botnet aspect of ORB networks provides a means of distributing malicious traffic, the VPN-like architecture enhances the attacker’s ability to remain undetected by enabling anonymized communication across multiple nodes.

To achieve this, a “mesh” of operational relay boxes is established, with traffic passing between them. Most of the connections occur between the relay boxes themselves, effectively masking the attacker’s entry point into the network. By also randomizing or alternating their exit points (we refer to these as “exit nodes”), defenders face significant challenges when trying to trace threat actors or block attacks.

Figure 2 : Simplified ORB Network Diagram

Now that we’ve established a basic understanding of what an ORB network is and how it functions conceptually, several additional factors contribute to its effectiveness, making these networks even more difficult to detect and disrupt.

By combining VPS and IoT infrastructure, and targeting devices typically sold internationally, threat actors are able to build a network that is neither clustered nor concentrated in any specific region or tied to a particular Internet Service Provider (ISP). This broad distribution of infrastructure significantly complicates efforts to disrupt the network through remediation of infected devices. It can also hinder the process of obtaining valuable threat actor artifacts from compromised hosts, which could otherwise provide insights into their techniques.

However, this decentralization can also present opportunities for network identification. For instance, the direct communication between two similar SOHO routers located in Norway and Kenya may appear unusual given their lack of geographical proximity and could raise suspicion, despite plausible explanations such as Torrenting. By analyzing these “unlikely” communications, it becomes possible to map potential ORB networks.

Several mitigation options are removed from consideration due to the fact that a significant proportion of an ORB network often consists of compromised devices. Similar to the rise in popularity of residential proxies, exit nodes that appear to originate from home or commercial broadband IP ranges pose a challenge for those defending a network perimeter. Blocking such traffic may lead to numerous issues, such as legitimate users being unable to access services or businesses experiencing a decline in genuine traffic, which can result in complaints and service disruptions.

Another challenge is that most IoT devices lack dedicated public IP addresses. As a result, threat actor-related traffic may be “washed” in with benign traffic generated by hundreds or even thousands of users, making it difficult to distinguish between malicious and legitimate activity.

Anecdotal evidence suggests that threat actors often cover their tracks after compromising a device. ORB network operators might carry out a “clean-up” operation, which includes removing other attackers, patching vulnerabilities, and ensuring they remain the sole resident (alongside the unsuspecting victim).

This process also complicates identification efforts for threat researchers. For example, if we know that Threat Actor A is actively exploiting a known CVE to “farm” specific devices for their ORB network, scanning for devices running the vulnerable software could help identify potential threat actor infrastructure. However, by patching the device post-compromise, operators are able to better “hide” their activities and avoid detection, whilst also frustrating the future efforts of incident responders.

The final factor in this non-exhaustive list is drawn from our tracking of existing ORB networks. In many cases, we observe “normal” traffic being routed through the same infrastructure as threat actor-related traffic, effectively using the network as a general proxy for accessing services like social media or messaging platforms. Given the prevalence of ORB networks linked to Chinese entities, alongside China’s “Great Firewall,” an ORB network likely holds broader appeal for accessing otherwise restricted services on the Internet.

By allowing their networks to be used for these general purposes, threat actors further obscure their activities. The additional noise generated by legitimate traffic helps mask malicious operations. If a network were used exclusively for illicit purposes, over time, it might become possible to trace and disrupt these activities. However, with the constant buzz of mixed traffic passing through the network, identifying and pre-empting malicious behavior becomes significantly more challenging.

ORB networks offer several advantages to threat actors, making them highly effective for malicious campaigns. First, they provide enhanced anonymity by allowing attackers to mask their true origin, making it much harder for defenders to trace attacks back to their source. Second, they offer flexibility and resilience; attackers can easily add or remove compromised devices or VPS servers to scale their network as needed, or to replace nodes if they are discovered or blocked. Finally, ORB networks benefit from distributed infrastructure, which allows attackers to spread their operations across multiple geographies, complicating efforts to take down the network. Similar to traditional VPNs or residential proxies, threat actors may choose an exit node in a specific location to circumvent common defense practices such as geofencing.

ORB networks provide threat actors with the capability to execute actions aligned with each phase of the Cyber Kill Chain. These networks enable attackers to remain hidden while conducting activities ranging from reconnaissance to exfiltration.

An obscured exit node gives attackers the anonymity needed to conduct reconnaissance against their intended target. Through this, they can map Internet-facing infrastructure, probe for vulnerabilities, and gather the intelligence necessary to tailor their follow-on actions. By leveraging ORB networks, attackers can avoid detection while collecting information, ensuring that their reconnaissance remains covert.

Once a target has been identified and the method of entry chosen, the ORB network offers a variety of ways to exploit the target. In some cases, attackers may skip traditional delivery methods, such as phishing emails, and instead exploit vulnerabilities that grant remote code execution on the victim’s network. Attackers may also conduct brute force or password-based attacks to gain unauthorized access.

ORB networks provide dynamic C2 capabilities, allowing attackers to rotate the servers with which compromised hosts communicate. This ensures continuous communication while obscuring the true origin of the attacker. Additionally, the network can facilitate ongoing remote access to the victim, with attackers strategically selecting “exit nodes” that appear more legitimate or local to the target, such as servers located in the same country.

During the exfiltration phase, attackers can leverage the ORB network to create confusion for defenders by routing stolen data through multiple exit nodes. This decentralized approach makes it difficult to track the data’s final destination, slowing down incident response and making it harder to mitigate the attack.

Defending against attacks that leverage ORB Networks requires specialized strategies. Traditional detection methods, such as monitoring edge network traffic, may be insufficient due to the multiple layers of obfuscation in ORB Networks. Here are some steps analysts can take to improve their defenses:

Proactive threat hunting, beyond passive monitoring, is a critical strategy in defending against ORB Networks. Security teams should actively scan for indicators of compromise (IoCs) associated with ORB Networks, such as unusual communication paths between compromised devices and VPS servers, or unique service/network characteristics, for example, a distinctive X.509 certificate. Using this data, threat hunters can identify patterns of activity that may signal an ORB network presence before it is fully operational.

Implementing behavioral analytics can help detect anomalies in network activity. ORB Networks often exhibit new or unexpected behaviors, such as connections to unfamiliar IP addresses, unusual protocols, or irregular traffic patterns. Machine learning algorithms can analyze these behaviors to identify deviations from normal network activity, allowing for early detection of malicious activity.

Even though ORB Networks are designed to evade detection, careful analysis of network traffic can still uncover irregularities. Analysts should look for unusual traffic patterns such as lateral movement between devices, unexpectedly high outbound traffic, or data being relayed through multiple geographic locations. Traffic to and from compromised IoT devices, which often have predictable behavior patterns, may provide clues for identifying ORB network activity.

Staying up-to-date on the latest threat actor tactics, techniques, and procedures (TTPs) related to ORB Networks is crucial. Threat intelligence feeds can be used to identify known C2 infrastructures or compromised devices acting as relay points in ORB Networks. Integration of these feeds into existing security systems can automate alerts and help identify ORB-related activity faster.

Adopting a Zero Trust approach helps minimize the risks posed by ORB Networks. This model assumes that no device, whether inside or outside the network, should be trusted by default. Implementing strict access controls, multifactor authentication (MFA), and continuous network monitoring can limit the damage caused by an ORB network intrusion. Microsegmentation, which breaks networks into smaller security zones, can further isolate compromised devices, making it more difficult for attackers to move laterally.

As ORB Networks continue to evolve, understanding their architecture and operational methods is essential for cybersecurity teams looking to counter advanced, persistent threats. These networks allow attackers to obscure their identities and bypass traditional detection methods, presenting a formidable challenge to defenders.

To stay ahead of these sophisticated threats, organizations must adopt proactive strategies such as behavioral analytics, network traffic analysis, and the integration of threat intelligence. Additionally, implementing a Zero Trust model can help limit the damage caused by an intrusion.

Looking ahead, defending against ORB Networks requires more than just advanced technical capabilities; it demands a mindset focused on continuous improvement and agility. As threat actors refine their methods, cybersecurity teams must remain proactive, leveraging the latest tools, threat intelligence, and defense techniques to stay one step ahead.

Ultimately, the key to combating ORB Networks lies in staying vigilant and adaptable. The dynamic nature of these networks means that defenders need to constantly evolve their approaches, ensuring they can effectively disrupt the threat landscape before attackers achieve their objectives.

Several ORB networks are now tagged within our Pure Signal™ Scout and Recon platforms, making research, identification and attribution more intuitive and faster, enabling comprehensive mapping of attacker infrastructure.

Give Scout or Recon a spin and create your own unique insights of ORB Networks that may pose a risk to your organization here’s how to connect – Talk to an Expert or Request a Demo