PolarNet Has Hallmarks of an Operational Relay Box

A rapidly swelling botnet capturing internet of things devices across the globe may be a front for foreign cyberespionage operations.
See Also: What Manufacturing Leaders Are Learning About Cloud Security – from Google’s Frontline
Infected equipment show signs of malware that researchers codenamed PolarEdge, software that targets many different types of enterprise-class edge devices and consumer-grade IoT gear.
Attackers appeared to begin wielding PowerEdge in June 2023, with around 150 devices worldwide initially falling victim. That number snowballed to nearly 40,000 devices – 52% in South Korea and 21% in the United States – as of Aug. 5, says threat intelligence firm Censys. The geographic concentrations may be a function of attackers targeting device types commonly used by internet service providers in those regions.
Researchers say that PolarEdge’s purpose could be to create an operational relay box network to disguise cyberespionage operations. Buttressing that theory are the targets selected by attackers: always-on and stable devices such as IP cameras, ASUS-RT series routers, Cisco APIC cameras, network attached storage and cameras. “Ideal for proxying malicious traffic under the guise of legitimate users,” Censys wrote.
Attackers building a network of compromised devices to bounce internet traffic through layers of infected devices and appearing to exit from a putatively harmless residential IP address is nothing new. But ORBs have “expanded in adoption by cyberespionage groups in the past few years,” said Himaja Motheram, a security researcher at Censys, in a blog post.
One way attackers attempt to stay hidden is that compromised devices present the hacker-installed backdoor on high, non-standard TCP ports ranging between 40,000 to 50,000, where they likely can “fly under the radar of standard network scans.”
Western intelligence agencies appear to have first invented ORBs to enable them to screen cyberespionage operations and complicate attribution. The technology became commercially available and more widely adopted by hackers, including Chinese nation-state actors.
“PolarEdge shows some ORB-like traits in its persistence, geographic concentration and device targeting patterns that are similar to other ORB-like campaigns linked to China-nexus espionage campaigns,” said Motheram. But it also has differences, including exhibiting low churn, the rate at which devices appear or disappear from the botnet.
Nation-state hackers like churn. “ORB networks are one of the major innovations in Chinese cyberespionage that are challenging defenders,” said Michael Raggi, a principal analyst at Google Cloud’s Mandiant, in a May 2024 report. “They’re like a maze that is continually reconfiguring with the entrance and the exit disappearing from the maze every 60 to 90 days.”
Motheram said one explanation for a low-turnover ORB may be the reliability of the infected devices or robust command and control infrastructure.
Honeypots Capture Webshell Exploit
Credit for discovering the malware and potential ORB attack infrastructure goes to Sekoia, after its honeypots recorded attempts to exploit a command injection vulnerability in Cisco Small Business Routers tracked as CVE-2023-20118. The attacks aimed to drop a webshell on the device that could maintain persistent, remote access.
Sekoia codenamed the malware and associated botnet infrastructure they mapped as PolarEdge, based on attackers’ use of a custom backdoor based on the Mbed TLS C library, previously known as PolarSSL, as well as PolarSSL-branded certificates and devices that live on the network edge.
“The main objective of PolarEdge remains unclear, but a working hypothesis suggests that it could be using compromised devices as operational relay boxes to facilitate offensive cyber operations,” Jeremy Scion and Felix AimĂ©, security researchers at threat intelligence firm Sekoia, said in a February report.
The researchers said the effort had all the hallmarks of being “a well-coordinated and substantial cyber threat” being “conducted by skilled operators,” not least given the “significant infrastructure” tied to the operation, as well as “the complexity of the payloads.”
As of January, about 2,000 devices worldwide appeared to be infected with PolarEdge, Sekoia said. Around that time, attackers appeared to expand the botnet by compromising many more types of enterprise-grade devices. Consumer equipment targeted includes consumer-grade equipment such as Asus routers, network-attached storage devices built by Synology, plus other type of firewalls, VoIP phones and IP cameras.
“These are typically stable, always on devices in trusted residential IP space – ideal for proxying malicious traffic under the guise of legitimate users,” Censys’ Motheram said.