Operational Relay Box (ORB) networks are covert, mesh-based infrastructures used by advanced threat actors to hide the true origin of their cyberattacks.
Built from compromised Internet-of-Things (IoT) devices, Small Office/Home Office (SOHO) routers, and rented Virtual Private Servers (VPS), these networks act like private residential proxy systems that blend malicious traffic with legitimate user activity.
In an ORB network, traffic hops across multiple relay nodes before reaching the target, with most connections occurring between relay boxes themselves.
Team Cymru researchers note that ORBs are increasingly used by China‑nexus espionage groups and are expected to be adopted more widely by other actors over time.
By constantly rotating exit nodes often IPs that appear to belong to normal home broadband customers attackers achieve strong anonymity and make it extremely difficult for defenders to trace or confidently block attack traffic without risking collateral damage to real users and businesses.
ORB Networks’ Cyberattack Strategy
This design gives ORBs high resilience: if one node is exposed or blocked, it can be quickly replaced by another compromised router, IoT device, or VPS, allowing campaigns to persist for months.
Team Cymru’s recent analysis of Singapore’s telecommunications sector shows how these networks are being operationalized in the real world.
Using its Pure Signal Scout platform, Team Cymru identified up to 12 unique ORB‑tagged IPs in the last 90 days on the four major Singaporean ISPs M1, SIMBA Telecom, Singtel, and StarHub and up to 44 ORB‑tagged IPs across Singapore overall in the same period.
Many of these ORB nodes were hosted on infrastructure belonging to cloud and hosting providers such as AWS, Vultr, and other regional networks, illustrating how attackers mix compromised SOHO routers with VPS‑based relays.
NetFlow‑based telemetry further revealed that 42 unique ORB IPs had communicated with the four telcos in the last 30 days, while 62 unique IPs on those ISPs had conversed with ORB nodes, the majority of which were tagged as D‑Link and Asus routers noted.
This ORB activity aligns with the broader espionage campaign by the Chinese‑linked group UNC3886, which Singapore disrupted through Operation CYBER GUARDIAN, its largest multi‑agency cyber operation to date.
Mitigations
CSA and IMDA reported that UNC3886 exploited a zero‑day to bypass perimeter firewalls at all four major telcos, gaining access to parts of their networks and exfiltrating a limited amount of technical, primarily network‑related data.
Mandiant has previously tied UNC3886 to custom TINYSHELL‑based backdoors on Juniper routers and other edge devices, emphasizing the group’s focus on long‑term, stealthy access to telecom and critical infrastructure.
In that Juniper campaign, several Singapore‑based IPs tied to local providers such as M1 and StarHub were identified as staging nodes later assessed by researchers as part of the GOBRAT ORB network.
Singapore has responded with unusually strict national countermeasures focused on router and consumer device security.
The Infocomm Media Development Authority’s TS RG‑SEC specification requires residential gateways sold locally to be “secure by default,” including automatic security updates throughout warranty or until declared end of life.
CSA’s Cybersecurity Labelling Scheme (CLS) adds a visible security “hygiene rating,” with routers needing at least CLS Level 1 unique default passwords, a vulnerability disclosure policy, and ongoing software support before they can be sold.
Yet a legacy gap remains: millions of older or imported routers fall outside these protections, leaving a pool of devices that can still be quietly absorbed into ORB networks and repurposed as anonymizing launchpads for long‑term espionage campaigns like those run by UNC3886.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
