Blog post | 10-02-2025 | NCSC

What exactly is this development that worries cybersecurity experts? What are we actually dealing with? ORB networks, or called obfuscation networks or covert networks, are not new. The phenomenon has been around for years and many security companies have written articles about it, such as Google Mandiant (1) and Team Cymru (2). The NCSC also takes an interest in it, as part of its task to provide information on cyber threats.  

Still, it is worth delving further into it. My CTI colleagues and I are convinced that this is not a passing trend, and that digital attacks using ORB networks will only increase in the future. It will therefore take effort to protect organisations from this threat, but more on that later.

What is an ORB network?

An ORB network (ORB stands for ‘Operational Relay Box) is a controlled network of various devices, such as VPS servers, compromised routers and IoT devices. This probably sounds familiar to many, as it resembles a botnet. Botnets too, exist of infected devices that are being controlled to carry out digital attacks. However, while there are certainly similarities between ORB networks and botnets, there are important differences between the two.

Devices that are part of botnets are often controlled by a central party (the ‘bot herder’). In contrast, an ORB network consists of a decentralised controlled infrastructure of commercially rented VPS servers or a network of compromised devices, all communicating with each other. Sometimes a network consists of both leased infrastructure and also compromised devices.

This makes an ORB network a large-scale and highly flexible infrastructure of connected devices, from which digital attacks can be carried out that are difficult to detect and to block. Sometimes an ORB network can consist of as many as tens of thousands of devices, which administrators can easily expand by compromising and exploiting end-of-life and other vulnerable devices. (3)

"ORB networks are the modern version of botnets. The principle has been around for much longer; it is not a revolution, but more like an evolution."

Digital espionage and detection

According to Google Mandiant, ORB networks have grown rapidly in popularity in recent years. Researchers from this security company recently observed ORB networks associated with sophisticated digital espionage campaigns, especially from China. Because these networks are provided by independent parties, multiple actors may be renting or leasing (parts of) the network at the same time, thus conducting digital attacks from the same ORB network (or even from the same IP address) (4). This makes attribution even more difficult than it already was.

Another characteristic of ORB networks is their geographical spread. The (sometimes very extensive) clusters of VPS servers and compromised devices are not connected to a specific region or to certain internet service providers. This allows actors to both launch their attack from an exit node (the point at which traffic leaves the ORB network) that is in close proximity to the victim, as well as quickly switch exit nodes. This of course makes it extra complicated for cybersecurity specialists to recognize this type of network traffic as malicious, because it often appears to be legitimate traffic. It comes from the same region and from regular VPS servers. If you want to block this type of traffic, you will automatically block 'normal' network traffic as well.

"They're [ORB networks] like a maze that is continuously reconfiguring with the entrance and the exit disappearing from the maze every 60 to 90 days."

Attacks from ORB networks are difficult to detect for the same reason. What often works for botnets, namely network detection based on IoCs (Indicators of Compromise), doesn’t do the same for ORB networks because they change IP addresses at a high rate. This makes previously collected IoCs less effective in detecting this kind of rogue traffic. Michael Raggi (at the time of publication working as principal analyst at Mandiant by Google Cloud) (5) described it in an article as follows: ‘They're [ORB networks] like a maze that is continuously reconfiguring with the entrance and the exit disappearing from the maze every 60 to 90 days.’ (6)

So what now?

And what does this mean for digital security in the Netherlands? Although botnets are still widely used (7), in the future we will increasingly have to deal with attacks carried out from ORB networks. Precisely because of the accessibility, anonymity and versatility ORB networks can offer the attacker. It is therefore a realistic assumption that other actors will also make more use of this capability in the future, deploying this ‘infrastructure-as-a-service’ (8) not only for cyber espionage, but also cybercrime, for example.

This development further complicates the work of cybersecurity specialists on detection and prevention. Protecting systems and networks will become even more difficult in light of this development.

Does this mean that all our IoCs have lost their value as of now? Not necessarily. According to Team Cymru, it is still important for organisations to proactively scan for IoCs related to ORB networks, to be alert for unusual connections, irregularities and patterns in network traffic, among other things. (9) CTI teams will therefore focus more on mapping ORB networks in the future, and will have to collaborate with each other to effectively address this huge challenge.

How can organisations deal with this threat?

To counter these (and other) advanced threats, the NCSC advises organisations to implement the ‘assume breach’ principle. This principle applies that a successful digital attack has already taken place or is about to take place. Based on this principle, measures are taken to limit the damage and impact. These include taking mitigating measures in terms of segmentation, detection, incident response plans and forensic readiness. (10)

In addition, specifically in relation to ORB networks, it is important to actively monitor endpoints such as edge devices (devices located at the edge of the IT network). Here, it is necessary to be alert for anomalous network traffic. The NCSC and the Dutch intelligence services have long seen a trend of vulnerabilities in publicly accessible edge devices such as firewalls, VPN servers, routers and e-mail servers being exploited. (11)  Because of these vulnerabilities, these devices are a popular target for malicious actors. See our fact sheet ‘Dealing with edge devices’ (12), for recommendations on how to secure edge devices.

Conclusion

Although ORB networks are not new, the emergence and professionalisation of these networks complicates the defence of organisations against digital attacks. The features of ORB networks make it much easier for attackers to carry out digital attacks anonymously and in a flexible manner. Researchers of these types of networks now mainly report on sophisticated digital espionage campaigns from China. In my opinion, however, it is plausible that other digital attackers will also increasingly use this tool in the future.

For the cybersecurity specialists within the NCSC and other (security) organisations, it is therefore all the more necessary that we continue to look for cooperation in view of this development. Only together will we succeed in gaining more insight into these very extensive ORB networks. This insight will help us better interpret digital threats, with the aim of increasing digital security. For this purpose, my team and I will continue to put our best efforts every day.