Chinese cyber espionage groups, such as Volt Typhoon, are utilizing operational relay box networks (ORBs) since around 2020, incorporating components like relay nodes, traversal nodes, and exit/staging nodes, all administered via adversarial-controlled operations servers. ORBs are akin to a maze that regularly reconfigures, complicating attribution efforts and allowing nation-state attackers to proxy into target environments unobtrusively. Mandiant researchers note that ORBs have been used for concealing espionage operations and targeting critical infrastructure, with an ORB called ORB3, or Spacehop, spanning global geographies
The extensive use of ORBs calls for defenders to track them similar to tracking advanced persistent threat (APT) groups. The report emphasizes the challenge in using egress IP addresses for identifying attackers due to the use of legitimate devices as proxies through ORB networks, syncing the attack traffic to target enterprises' geographic locations, all while the device owners remain unaware of their involvement in espionage activities. https://www.bankinfosecurity.com/chinese-cyber-espionage-groups-tied-to-orb-network-attacks-a-25292