Introduction
ORB Networks, a covert mesh-based infrastructure used by advanced threat actors, is increasingly being leveraged to hide the true origin of cyberattacks. These networks are built using compromised Internet-of-Things (IoT) devices and Small Office/Home Office (SOHO) routers, along with rented Virtual Private Servers (VPS).
How ORB Networks Operate
In an ORB network, traffic hops across multiple relay nodes before reaching the target. This design allows attackers to achieve strong anonymity and makes it extremely difficult for defenders to trace or block attack traffic without risking collateral damage to real users and businesses.
Recent Analysis by Team Cymru
Team Cymru’s recent analysis of Singapore’s telecommunications sector shows how these networks are being operationalized in the real world. Using its Pure Signal Scout platform, Team Cymru identified up to 12 unique ORB-tagged IPs on four major Singaporean ISPs (M1, SIMBA Telecom, Singtel, and StarHub) over the last 90 days.
Details of the Analysis
The analysis revealed that:
- Up to 44 ORB-tagged IPs were active across Singapore in the same period.
- NetFlow-based telemetry showed that 42 unique ORB IPs had communicated with the four telcos in the last 30 days.
- 62 unique IPs on those ISPs had conversed with ORB nodes, most of which were tagged as D-Link and Asus routers.
Connection to Broader Espionage Campaigns
This ORB activity aligns with the broader espionage campaign by the Chinese-linked group UNC3886. Singapore disrupted this through Operation CYBER GUARDIAN, its largest multi-agency cyber operation to date.
Mitigations and Countermeasures
Singapore has responded with strict national countermeasures focused on router and consumer device security:
- The Infocomm Media Development Authority’s TS RG-SEC specification requires residential gateways sold locally to be “secure by default.”
- CSA’s Cybersecurity Labelling Scheme (CLS) adds a visible security hygiene rating, with routers needing at least CLS Level 1 unique default passwords and ongoing software support.
Legacy Gap Remains
A legacy gap remains: millions of older or imported routers fall outside these protections, leaving a pool of devices that can still be absorbed into ORB networks and repurposed as anonymizing launchpads for long-term espionage campaigns.