ORB Networks Hide Attacks Behind Compromised IoT Devices and SOHO Routers

Operational Relay Box networks or ORB networks let attackers mask where their traffic really comes from. Recent research and a major government response in Singapore show these networks are now a favoured tool for state-level and sophisticated criminal operations. They route traffic through many compromised devices and small office/home office routers so defenders see only the relays, not the true origin. Team Cymru and the Cyber Security Agency of Singapore have both published findings and alerts that illustrate how ORBs work and why they are hard to stop.

Attackers using ORB networks blend malicious traffic with normal home and business connections. This tactic complicates investigations, increases false positives, and raises the chance that defenders will break legitimate services when they respond. In Singapore, authorities say the toolset was used as part of a wider campaign against national telecom infrastructure. UNC3886 is named in official disclosures as a principal threat actor associated with these intrusions. Singtel, StarHub, M1 and SIMBA Telecom were identified as targets.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

What an ORB network does

An ORB network creates a layered relay system of compromised IoT devices, SOHO routers, and rented servers. Attack traffic is passed through this mesh so defenders see the relays rather than the attacker’s command systems. That makes attribution slow, forensics harder, and takedowns expensive.

How ORB networks work

1. Attackers compromise many low-security devices, such as home routers and IoT gadgets.
2. They assemble these devices and some VPS hosts into a distributed relay mesh.
3. Malicious traffic enters the mesh, hops through several ORB nodes, and exits near the intended victim.
4. The victim sees inbound connections from many plausible residential or business IPs, not the attacker’s infrastructure.
5. If defenders block one node, the attacker swaps in another and keeps the network running.

This model mixes proxy and botnet techniques. It looks like legitimate traffic while hiding malicious intent. Team Cymru explains this clearly: “Researchers here at Team Cymru have observed an increase in the abundance of large-scale ORB networks used by threat actors, especially those attributed to China, and expect this trend to continue.”

Why Singapore’s response matters

The Cyber Security Agency of Singapore led an 11-month multi-agency operation called Operation CYBER GUARDIAN to evict UNC3886 from telco networks. In its public statement the agency said:

“The threat actor was able to gain unauthorised access into some parts of telco networks and systems. In one instance, they were able to gain limited access to critical systems but did not get far enough to have been able to disrupt services.” Cyber Security Agency of Singapore.

That statement shows two important facts. First, ORB-style operations can reach core infrastructure. Second, careful defence and coordinated response can contain exposure and avoid service disruption.

Where ORB networks are most effective

• Against large, internet-facing infrastructure such as telecom providers and cloud front ends.
• When attackers need stealth, for reconnaissance or long-term persistence.
• Where blocking is risky, since exit nodes often come from residential ISPs or popular hosting providers.

Team Cymru notes that ORBs combine the scale of botnets with the anonymity of VPNs, which makes them especially resilient.

Indicators and telemetry defenders should hunt for

These signs are subtle. They require proactive hunting, network baselining, and correlation with threat intelligence feeds.

Practical defensive steps

• Treat ORB activity as a signal for advanced, persistent intrusion.
• Use behavioral analytics to detect improbable communication paths.
• Apply microsegmentation to limit lateral movement.
• Harden and inventory SOHO and IoT devices where possible.
• Integrate threat intelligence and NetFlow analysis to map suspicious relay patterns.
• Work with ISPs and hosting providers to take down confirmed malicious nodes.

Real-world example: Singapore telecoms and UNC3886

• Who was targeted: Singtel, StarHub, M1 and SIMBA Telecom.
• Who responded: A whole-of-government operation named Operation CYBER GUARDIAN involving over 100 cyber defenders from multiple agencies.
• Tactics used by attackers: Zero-day firewall exploit, rootkits, long-term persistence, and use of ORB relays to mask activity.

The Singapore case shows ORBs can form part of a broader, patient campaign that includes exploitation, stealthy persistence, and careful reconnaissance.

FAQ