Tracking ORBs on Singapore's Telecommunications Networks

ORB networks, which stands for Operational Relay Box networks, are obfuscated mesh networks used by threat actors to mask the origin of their cyberattacks. These networks are often composed of a mix of compromised Internet-of-Things (IoT) devices, Small Office/Home Office (SOHO) routers, and Virtual Private Servers (VPS). Team Cymru has blogged previously about ORBS here.

ORBs are considered a significant threat for several key reasons:

• Evasion and Anonymity: ORBs act like private residential proxy networks, allowing attackers to route their traffic through nodes that appear to be legitimate home or commercial broadband users. This masks the attacker's true location and makes it difficult for defenders to trace the activity back to the source.
• Blending with Legitimate Traffic: Because ORB nodes often reside on compromised devices used by real people (such as home routers), malicious traffic is frequently mixed with "normal" user traffic. This makes detection challenging and creates a risk for defenders: blocking an ORB IP address could inadvertently block legitimate users or disrupt genuine business services.
• Resilience and Flexibility: Attackers can easily scale these networks by adding or removing compromised devices and servers. If a node is discovered and blocked, it can be quickly replaced, making the network highly resilient to takedown attempts.
• Pre-positioning: Experts note that adversaries use ORBs to "commute" to a target's perimeter, allowing them to pre-position themselves months in advance of an attack. This infrastructure facilitates reconnaissance and exploitation while keeping the adversary's "bridge" intact even if specific operations are detected.
• Geographical Evasion: By routing traffic through nodes located near their targets, attackers can circumvent geofencing security controls and make their traffic appear more legitimate.

UNC3886 Campaign against M1, SIMBA Telecom, Singtel, and StarHub

On February 9, 2026, the Cyber Security Agency of Singapore (CSA) released a press release detailing a multi-agency cybersecurity operation, codenamed Operation CYBER GUARDIAN, intended to defend their communications sector. The CSA first shared that they detected an Advanced Persistent Threat (APT) actor tracked as UNC3886 attacking Singapore’s critical infrastructure on July 18, 2025. The CSA’s investigation has uncovered that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore’s telecommunications sector. All four of Singapore’s major telecommunications operators—M1, SIMBA Telecom, Singtel, and StarHub—were targeted. 

Notably, the CSA observed the adversary using a zero-day exploit to bypass a perimeter firewall of the victims and gain access into their telecommunications networks. The adversary also managed to reportedly exfiltrate a small amount of technical data; this is believed to be primarily network-related data to advance the threat actors’ operational objective. What made UNC3886 a challenge to find was its use of advanced tools and techniques such as rootkits to evade basic detection systems.

UNC3886’s Historical Campaigns

According to Mandiant, UNC3886 is a state-sponsored threat group tied to Chinese cyber-espionage operations. The group is well-known for exploiting zero-day vulnerabilities in edge devices and virtualised systems to gain stealthy, long-term access. 

Its targets span energy, water, telecommunications, finance, and government services, with tactics that include custom malware and advanced persistence techniques. UNC3886 has reportedly used zero-days in Fortinet, VMware, and Juniper devices and has deployed custom malware families to maintain access on them. 

Interestingly, from Mandiant’s report in March 2025 about UNC3886 targeting Juniper routers, the indicators of compromise (IOCs) they shared were all located in Singapore and some of the targeted victims were organizations such as M1 and Starhub, as shown in Table 1 below. Notably, Mandiant’s researchers also noted that these IPs are staging nodes used by the GOBRAT ORB network.

  ^{Table 1. UNC3886 IOCs shared by Mandiant enriched by Team Cymru Scout.}

Multiple threat reports on UNC3886 are available via Malpeida here.

ORBs detected by Team Cymru on Singaporean IPs

ORBs in Singapore

Using Team Cymru Scout, we can gather statistics about the number of ORBs currently deployed in Singapore. Using a query (tag = "orb" asn = "55430, 9506, 4773, 4817"), we identified up to 12 unique IPs in the last 90 days tagged as an ORB on the four named victim ISPs (M1, SIMBA Telecom, Singtel and StarHub). Using another Scout query (tag = "orb" cc = "SG") we identified up to 44 unique IPs in the last 90 days tagged as an ORB that were located in Singapore. The ASNs where the most of the Singapore-based ORB IPs were located include AWS, GHOST,  Starhub, Singtel, CDNEXT, Vultr, and BrainStorm.

Investigating ORB communications to
Singaporean IPs

Using Team Cymru Scout further, we can identify the NetFlow records of every IP tagged as an ORB that has communicated with one of the four named victim ISPs from Singapore. Using a Scout Query (tag = "orb" comms.asn = "55430, 9506, 4773, 4817"), we identified up to 42 unique IPs in the last 30 days that have communicated with IP addresses on the four named victim ISPs. Using a Scout Query (comms.tag = "orb" asn = "55430, 9506, 4773, 4817"), the number of unique IP addresses from the victim ISPs that have communicated with ORBs was up to 62 unique IPs in the last 30 days. The majority of the IP addresses on the Singaporean ISPs that had communicated with ORB IPs were tagged by Team Cymru as either D-Link or Asus routers.

Analysis of Singapore’s National Countermeasures

While many countries treat Wi-Fi router security as a "best effort" by manufacturers, Singapore has moved toward a model of mandatory responsibility. This shift is critical when viewed against the backdrop of the UNC3886 campaign, where sophisticated threat actors targeted the infrastructure of major local telcos (Singtel, StarHub, M1, and SIMBA).

Singapore’s approach to Wi-Fi router regulation stands out globally because it shifts the burden of security from the end-user directly onto the manufacturers and telcos. Singapore’s Infocomm Media Development Authority (IMDA) enforces the TS RG-SEC, which is a mandatory technical specification for all residential gateways sold for local use. This standard effectively mandates that routers must be "secure by default," requiring features like the automatic downloading and installation of security patches. Manufacturers are obligated to provide these updates in a timely manner based on the severity of vulnerabilities, ensuring that devices remain protected throughout their warranty period or until they reach their declared end-of-life status. 

Complementing this technical foundation is the Cyber Security Agency’s (CSA) Cybersecurity Labelling Scheme (CLS), which provides a transparent "hygiene rating" for consumer devices. For a router to be sold in Singapore, it must minimally attain CLS Level 1, which guarantees adherence to international baseline requirements: unique default passwords for every unit, a formal vulnerability disclosure policy, and a commitment to ongoing software support. This dual-layered regulatory net ensures that new hardware entering the market is equipped to handle modern threats without requiring the average homeowner to be a cybersecurity expert. 

However, a significant "legacy gap" remains; because these mandatory standards were only introduced in mid-2022, a vast number of older routers still in use do not benefit from these automated protections. Furthermore, the regulations only apply to locally sold units, meaning devices imported directly from overseas may bypass these vital security checks, leaving a potential side-door open for advanced persistent threats like UNC3886.

Conclusion

Usage of ORB networks highlights that a sophisticated and persistent threat targeted Singapore’s critical telecommunications infrastructure. The coordinated, state-sponsored campaign by the UNC3886 APT actor, which has been known to leverage ORB networks, demonstrates the effectiveness of these obfuscated mesh networks in achieving evasion, anonymity, and long-term access.

Ultimately, the successful targeting of Singapore's telecommunications sector highlights the critical need for defenders to evolve their strategies beyond traditional perimeter defense. Addressing the ORB threat requires focusing on visibility within the adversary’s infrastructure, identifying compromised SOHO and IoT devices, and implementing advanced threat intelligence from Team Cymru to counter adversaries who are adept at pre-positioning and leveraging residential proxy tactics for long-term espionage and exploitation.

Indicators of Compromise (IOCs)

Team Cymru has shared recent IP addresses of GOBRAT C2 servers below to support threat hunting and tracking of this adversary’s infrastructure TTPs: