SPACEHOP is the codename for a sophisticated, China-linked cyber infrastructure known as an Operational Relay Box (ORB) network. It is actively used by multiple Chinese advanced persistent threat (APT) groups—including APT5 and APT15—for espionage, reconnaissance, and exploitation of vulnerabilities in targeted systems.
SPACEHOP: Key Features
• Global Distribution: SPACEHOP nodes are spread worldwide, with significant presence in Europe, the Middle East, and the United States. This global spread reduces reliance on any single country’s infrastructure and makes takedown efforts harder.
• Relay Servers: The core of SPACEHOP uses relay servers hosted by cloud providers in Hong Kong or China. These servers run open-source command-and-control (C2) frameworks to manage downstream nodes.
• Node Composition: Most relay nodes are cloned Linux-based images that proxy malicious traffic to exit nodes, which then communicate with the intended victim environments.
• Short-Lived Infrastructure: The IP addresses and nodes in SPACEHOP are frequently cycled—sometimes lasting only about a month—making traditional blocking and tracking methods less effective.
• Usage: SPACEHOP has been observed facilitating high-profile exploits, such as the December 2022 exploitation of the Citrix ADC and Gateway vulnerability (CVE-2022-27518), which the NSA linked to APT5.
Purpose and Impact
• Concealment: By routing traffic through a constantly changing mesh of compromised and leased devices, SPACEHOP effectively masks the true source of attacks, making detection and attribution far more difficult for defenders.
• Operational Flexibility: Multiple Chinese APT groups can rent and use the SPACEHOP network simultaneously, deploying their own malware and tools without direct control over the infrastructure itself.
• Increased Defense Costs: The dynamic nature of SPACEHOP and similar ORB networks forces defenders to invest more resources in tracking and mitigating threats, as traditional indicators of compromise (IOCs) quickly become obsolete.