Behind the Broadband Curtain: How ORB Networks Turn Everyday Devices into Cyberattack Shields

On a quiet evening in Singapore, tens of thousands of internet users streamed movies, checked emails, and gamed online - unaware that their routers and smart gadgets might be unwitting pawns in a global cyber-espionage campaign. Welcome to the shadowy world of Operational Relay Box (ORB) networks, where ordinary devices become camouflage for some of the world’s most elusive hackers.

In February 2026, Singapore’s Cyber Security Agency (CSA) revealed the scale of Operation CYBER GUARDIAN - a massive, multi-agency effort to root out a sophisticated cyberattack targeting all four of the nation’s major telecom providers. The culprit: UNC3886, a notorious China-linked advanced persistent threat (APT) group known for exploiting “zero-day” vulnerabilities and deploying custom malware to infiltrate critical infrastructure.

The attackers didn’t break in through obvious doors. Instead, they harnessed a sprawling mesh of compromised Internet of Things (IoT) devices, small office/home office (SOHO) routers, and virtual private servers (VPS). These ORB networks acted as digital smoke screens, routing malicious traffic through unsuspecting homes and businesses. On the surface, the traffic looked just like your neighbor’s Netflix binge - making it nearly impossible for defenders to separate friend from foe without risking widespread disruption to innocent users.

Technical analysis from security firm Mandiant and threat intelligence group Team Cymru uncovered dozens of Singapore-based ORB nodes, many operating within AWS, StarHub, and Singtel networks. Attackers cleverly swapped out compromised devices to keep the network resilient and often positioned nodes close to their targets, sidestepping geofencing controls and enabling persistent surveillance.

The campaign’s stealth was aided by rootkits - malicious tools that burrow deep into devices to maintain long-term, undetected presence. Attackers exfiltrated minor network data, but their true goal appeared to be reconnaissance and persistent access, not immediate disruption.

Singapore’s government had already mandated secure-by-default routers with automatic patching and unique passwords since 2022. Yet, the sheer number of outdated or imported devices left exploitable cracks in the country’s digital armor. In just 90 days, Team Cymru flagged over a dozen ORB-tagged IPs on victim ISPs and 62 victim IPs (mainly D-Link and Asus routers) linking to ORBs, highlighting the scale and persistence of the threat.

Thanks to CYBER GUARDIAN, the attack was contained with no customer data loss or service outages. But the case is a stark reminder: as attackers weaponize everyday technology, defenders must hunt for hidden threats, patch edge devices, and adopt zero-trust approaches. In the high-stakes world of cyber-espionage, your home router could be the next unwitting accomplice.

Reflecting on the Invisible War

The ORB network campaign in Singapore exposes a chilling reality: the devices we trust most can become digital double agents overnight. As cybercriminals grow bolder and more cunning, the line between everyday life and global espionage blurs - making vigilance, innovation, and collaboration more crucial than ever.

WIKICROOK

• ORB Network: ORB Network is a decentralized mesh of hacked devices used to relay and mask malicious online activity, making cyberattacks harder to detect and trace.
• IoT Device: An IoT device is an everyday object, like a thermostat or camera, that connects to the Internet to share data and can often be controlled remotely.
• Rootkit: A rootkit is stealthy malware that hides itself on a device, allowing attackers to secretly control the system and evade detection.
• Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
• Advanced Persistent Threat (APT): An Advanced Persistent Threat (APT) is a prolonged, targeted cyberattack by skilled groups, often state-backed, aiming to steal data or disrupt operations.