In a concerning revelation, cybersecurity experts have uncovered a covert operation involving over 1,000 compromised small office and home office (SOHO) devices exploited by hacking groups linked to China. Named the Operational Relay Box (ORB) network ‘LapDogs’ by SecurityScorecard’s STRIKE team, this campaign demonstrates a growing trend in cyber espionage tactics.
The report highlights that the LapDogs network primarily targets victims across the United States and Southeast Asia, with a notable presence in Japan, South Korea, Hong Kong, and Taiwan. The affected sectors include IT, networking, real estate, and media, indicating a broad spectrum of influence. According to SecurityScorecard, the network has been consistently growing, thereby increasing its potential threat level to various industries.
Central to the LapDogs operation is a custom backdoor called ‘ShortLeash’, designed to commandeer infected devices. ShortLeash installs a fake Nginx web server and utilizes a self-signed TLS certificate falsely bearing the name of the Los Angeles Police Department as a ruse. The malware primarily targets Linux-based devices, although versions for Windows have surfaced, underscoring the adaptability and reach of the threat actors.
Initial activity from the LapDogs campaign was detected in September 2023, suggesting a well-established operational timeline. The attackers seem to deploy their exploits in manageable batches, infecting no more than 60 devices at a time, with a total of 162 distinct intrusion sets identified so far. This strategic approach reflects a nuanced understanding of maintaining an effective yet low-profile cyber espionage infrastructure.
Further investigation revealed similarities between LapDogs and another ORB cluster known as ‘PolarEdge’, which was previously identified as targeting vulnerable routers and IoT devices. While both networks exhibit certain overlaps, SecurityScorecard has assessed LapDogs and PolarEdge as distinct entities due to their differing methods of infection and operational objectives.
The attackers behind LapDogs, possibly linked to a group known as UAT-5918, reportedly used the network in at least one targeting operation against Taiwan. Such activities underline the ongoing complexity of cyber threats associated with state-sponsored actors and their strategic use of ORB networks for covert operations.
As the cybersecurity landscape evolves, experts highlight the importance of awareness and preparedness against such sophisticated threats. The emergence of networks like LapDogs illustrates the continual adaptation of cybercriminal strategies, emphasizing the need for ongoing vigilance and defense mechanisms in both private and public sectors.