The Defender's Advantage Podcast The ORB Networks
May 22, 2024
Michael Raggi, Principal Analyst at Mandiant Intelligence, discusses ORB networks used by China-nexus threat actors for cyber espionage. Topics include the anatomy of ORB networks, how they are leveraged by APTs like SPACEHOP, and the implications for defenders. The conversation dives into the evolution of tactics, understanding and communication frameworks, and the challenges of attribution in cyber operations.
AI Snips
Chapters
Transcript
Episode notes
ORB Networks: A Paradigm Shift
- ORB networks represent a significant shift in Chinese cyber espionage.
- These private sector-created networks, unlike traditional botnets, offer obfuscated traffic routing as a service.
Provisioned vs. Non-Provisioned ORBs
- ORB networks come in two main types: provisioned (leased VPS devices) and non-provisioned (compromised routers/IoT devices).
- Non-provisioned networks offer more complexity and are harder to detect due to diverse device types.
Universal ORB Anatomy
- Mandiant's universal ORB anatomy defines five stages: ACOS, Relay Node, Traversal Nodes, Exit Node, and Victim Server.
- This framework helps describe ORB components regardless of network architecture.