China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware

A Chinese-linked threat actor identified as UAT-7810 is reportedly expanding its network of compromised devices, known as the Operational Relay Box (ORB) network, by deploying new custom malware. Cisco Talos researchers have observed this actor compromising internet-facing networking devices to achieve this expansion.
The newly developed malware, dubbed LONGLEASH, is designed to facilitate this growth of the ORB network. This malware allows UAT-7810 to gain control over vulnerable networking hardware, effectively turning these devices into proxies for malicious activities. The use of compromised networking devices is a common tactic for threat actors seeking to obfuscate their origins and create resilient command-and-control infrastructure.

While the specific vulnerabilities exploited to compromise these networking devices were not detailed, the focus on internet-facing hardware suggests that publicly accessible devices with known or unpatched weaknesses are likely targets. Such devices, often deployed by organizations and individuals, can become entry points for attackers if not properly secured and maintained.
The ORB network, as described by Talos, serves as a distributed infrastructure that UAT-7810 can leverage for various purposes. By expanding this network, the threat actor increases its capacity to conduct operations, potentially including data exfiltration, denial-of-service attacks, or serving as a pivot point for further intrusions into target networks. The distributed nature of the ORB network makes it more challenging to dismantle and disrupt.
The LONGLEASH malware itself is a custom-built tool, indicating a level of sophistication and investment by UAT-7810 in its operational capabilities. Custom malware often evades detection by signature-based security solutions that are primarily designed to identify known, off-the-shelf threats. The development of new tools suggests an ongoing effort by the actor to adapt and improve their attack methodologies.

The attribution to a China-linked threat actor, UAT-7810, places this activity within the broader landscape of state-sponsored or state-aligned cyber operations. Such actors often possess significant resources and pursue strategic objectives, which can include espionage, intellectual property theft, or disruption.
The expansion of the ORB network through the deployment of LONGLEASH malware highlights the persistent threat posed by compromised networking infrastructure. Organizations that deploy internet-facing devices are encouraged to maintain robust security practices. This includes regularly updating firmware and software on all networking equipment, implementing strong access controls, and monitoring network traffic for anomalous activity.
While specific mitigation steps for the LONGLEASH malware were not provided, general security best practices for network device security are crucial. This includes disabling unnecessary services, changing default credentials, and segmenting networks to limit the impact of any potential compromise. Continuous vigilance and proactive security measures are essential to defend against evolving threats from actors like UAT-7810.





