Exploitation of Over 1,000 SOHO Devices Linked to LapDogs Cyber Espionage Campaign with Chinese Ties

Threat hunters recently identified a substantial network of over 1,000 compromised small office and home office (SOHO) devices, which have been instrumental in supporting a long-running cyber espionage campaign attributed to China-linked hacking groups.

This network, referred to as the Operational Relay Box (ORB), has been codenamed LapDogs by the SecurityScorecard’s STRIKE team.

The LapDogs network exhibits a significant concentration of affected devices across the United States and Southeast Asia, showcasing a pattern of gradual expansion, according to observations detailed in a technical report released this week.

In addition to the previously mentioned regions, infections are also prevalent in Japan, South Korea, Hong Kong, and Taiwan, impacting various sectors including IT, networking, real estate, and media. The compromised devices include offerings from Ruckus Wireless, ASUS, Buffalo Technology, Cisco-Linksys, Cross DVR, D-Link, Microsoft, Panasonic, and Synology.

The core of the LapDogs network is a custom backdoor dubbed ShortLeash, designed to recruit the infected devices into the broader network. Upon installation, ShortLeash creates a fictitious Nginx web server and generates a unique self-signed TLS certificate that misleadingly claims to be issued by the Los Angeles Police Department, which is the origin of the network’s name.

ShortLeash is primarily delivered via a shell script targeting Linux-based SOHO devices, although evidence of artifacts intended for a Windows version has also been uncovered. The attacks exploit N-day security vulnerabilities (e.g., CVE-2015-1548 and CVE-2017-17663) to achieve initial access.

Initial indicators of the LapDogs activity were observed on September 6, 2023, in Taiwan, with subsequent attacks documented on January 19, 2024. It appears that the campaigns are executed in installment batches, with a maximum of 60 devices being compromised in a single operation. To date, 162 distinct intrusion sets have been cataloged.

This ORB network exhibits resemblances to another cluster known as PolarEdge, which was reported by Sekoia earlier this year for utilizing well-known security flaws in routers and IoT devices to aggregate them into a collective for undetermined purposes since late 2023.

Despite these similarities, LapDogs and PolarEdge are categorized as distinct entities due to variations in their infection methods, persistence tactics, and the former’s capability to target virtual private servers (VPSs) and Windows systems.

While the PolarEdge backdoor replaces the CGI script on targeted devices with an operator-defined web shell, ShortLeash integrates itself within the system directory as a .service file, thereby ensuring service continuity upon system reboot with root-level access.

There is a medium level of confidence suggesting that the China-linked threat group identified as UAT-5918 has employed LapDogs in operations targeting Taiwan. Currently, it remains unclear whether UAT-5918 is the principal entity behind the network or simply utilizing its capabilities.

Prior documentation from Google Mandiant, Sygnia, and SentinelOne has highlighted the use of ORB networks by Chinese threat actors as a means for obfuscation, indicating a growing adoption of these methods in highly targeted operations.

ORB networks, while akin to botnets comprising numerous compromised legitimate internet-connected devices or virtual services, serve a more versatile role akin to a Swiss Army knife. They can assist at various points throughout the intrusion lifecycle, from reconnaissance and anonymous browsing to data exfiltration, enabling actors to initiate and control intrusion processes efficiently.