Overview
Cisco Talos has published new research on UAT-7810, a Chinese advanced persistent threat (APT) actor that is actively refining its bespoke malware arsenal to expand its Operational Relay Box (ORB) network. The actor has deployed a newly identified malware family called LONGLEASH, which targets internet-facing networking devices to build covert proxy infrastructure used to obfuscate the origin of cyberattack traffic.
What Is an ORB Network?
An Operational Relay Box (ORB) network is a technique increasingly favored by sophisticated state-sponsored threat actors — particularly those with China nexus. Rather than connecting directly to targets from infrastructure attributable to the attacker, threat actors compromise thousands of intermediate devices (routers, firewalls, VPNs, IoT devices) to route their traffic through a rotating chain of proxies.
The advantages of ORB infrastructure include:
- Attribution obfuscation: Traffic appears to originate from legitimate residential or business IP addresses worldwide
- Geographic flexibility: Attackers can route through devices in specific regions to blend with expected traffic
- Persistence: The compromised relay nodes are often forgotten by their owners and remain active for extended periods
- Resilience: Losing individual nodes doesn't disrupt operations — the pool is continuously replenished
UAT-7810 and LONGLEASH
UAT-7810 is an established Chinese APT group that Cisco Talos has been tracking as a significant ORB operator. The group now employs LONGLEASH, a purpose-built malware specifically engineered to:
- Compromise internet-facing network devices: Routers, VPN concentrators, and edge networking equipment are the primary targets
- Establish persistent relay nodes: Infected devices are enrolled in the ORB network to relay attacker traffic
- Evade detection: LONGLEASH is designed to operate quietly, mimicking legitimate device behavior to avoid triggering network anomaly detection
- Self-update: The malware includes mechanisms to receive updated configurations and capabilities from command-and-control infrastructure
Targeted Devices
UAT-7810 and LONGLEASH focus on internet-facing network infrastructure, including:
- Edge routers from various vendors
- VPN appliances and gateways
- Network-attached storage (NAS) devices
- Other internet-accessible networking hardware
These targets are attractive because they typically run embedded operating systems with limited security visibility, receive infrequent security updates, and are rarely subjected to the same scrutiny as endpoint workstations.
Broader China ORB Network Landscape
UAT-7810 operates within a broader ecosystem of Chinese ORB networks that have come under increased scrutiny from Western security researchers and governments. Similar infrastructure has been linked to other Chinese APT groups. Key characteristics of the China-linked ORB ecosystem include:
- Scale: Individual ORB networks may encompass tens of thousands of compromised devices
- Operational longevity: Nodes may remain active for months or years before discovery
- Targeting: ORB networks are used to support espionage operations against government, defense, critical infrastructure, and technology organizations
- Shared infrastructure: Evidence suggests some ORB infrastructure is shared across multiple Chinese threat actor groups
Detection and Defense
Organizations should take the following steps to reduce exposure to ORB-based attacks and LONGLEASH compromise:
For Network Device Owners
- Patch aggressively: Apply vendor security updates to all internet-facing network devices immediately upon release
- Disable unnecessary remote management: Turn off remote access services (Telnet, HTTP management, SSH) when not needed, or restrict to known management IPs
- Monitor device behavior: Look for unusual outbound connections, high network throughput at odd hours, or unexpected configuration changes
- Reboot regularly: For some ORB malware variants, a reboot clears the infection (though persistent variants survive reboots)
- Replace end-of-life hardware: Devices no longer receiving security updates are perpetual vulnerabilities
For Security Teams
- Network traffic analysis: Detect anomalous relay behavior by analyzing traffic flows for known ORB network indicators
- Threat intelligence feeds: Subscribe to feeds that track known ORB network IP ranges and update blocklists regularly
- Zero trust architecture: Assume network perimeter devices may be compromised — enforce strong authentication for internal access even from "trusted" network segments
Geopolitical Context
The expansion of Chinese ORB networks comes amid heightened geopolitical tensions and an increasing tempo of state-sponsored cyber operations. Western intelligence agencies — including CISA, NSA, the UK's NCSC, and Canada's CSE — have issued joint advisories in recent years specifically warning about Chinese ORB network infrastructure and urging network device owners to take immediate protective action.
UAT-7810's development of LONGLEASH represents continued investment by Chinese state-affiliated actors in persistent, scalable espionage infrastructure designed to operate below the detection threshold of most organizations.