Chinese crew built 1,000+ device network that runs on home devices then targets critical infrastructure

A stealthy, ongoing campaign to gain long-term access to networks bears all the markings of intrusions conducted by China’s ‘Typhoon’ crews and has infected at least 1,000 devices, primarily in the US and South East, according to Security Scorecard's Strike threat intel analysts. And it uses a phony certificate purportedly signed by the Los Angeles police department to try and gain access to critical infrastructure.

The digital break-ins began no later than September 2023 (maybe earlier) and have expanded ever since. The campaign mostly targets end-of-life routers, IoT devices, internet-connected security cameras, virtual servers, and other small office/home office (SOHO) devices, with the goal of building an Operational Relay Box or ORB network.

Beijing's attackers route traffic and launch cyberattacks through these ORB networks, which have grown to hundreds or thousands of compromised devices. Because the activity comes through what seems to be a local ...