Home routers become silent spies as China-linked hackers wage a slow, calculated digital infiltration campaign
- Shortleash gives hackers at the level of the stealthy root and mixs malicious activity in daily network traffic
- LAPDOGS uses false LAPD certificates to hide malicious software, even bypassing the best protection systems of termination points
- Malware diverts quietly
A recently disclosed cyber-espionage operation, nicknamed Lapdogs, made a meticulous examination following the revelations of the SecurScorecard strike team.
The operation, supposed to be carried out by actors of the threats aligned by China, quietly infiltrated more than 1,000 aircraft across the United States, Japan, South Korea, Taiwan and Hong Kong.
What makes this campaign distinctive is its use of SOHO routers diverted and IoT equipment, transforming them into operational relay boxes (ORB) for sustained monitoring.
Stealth, perseverance and false identities
LAPDOGS is an ongoing campaign, active since September 2023, targeting the real estate, media, municipal and computer sectors.
Known supplier devices such as Buffalo Technology and Ruckus Wireless have been compromised.
The attackers use a personalized stolen door called Shortleash, which grants large privileges and stealth, which allows them to blend with legitimate traffic.
Depending on the report, once a device is infected, it can be not detected for months, and in the worst scenarios, some are used as a bridge to infiltrate internal networks.
Unlike typical boots that prioritize disturbance or spam, LAPDOGS reveal a more surgical approach.
“LAPDOGS reflect a strategic change in the way cyberMenace actors take advantage of the distributed and low -visibility devices to obtain persistent access,” said Ryan Sherstobitoff, Director of Intelligence of Threats at SecurityScorecard.
“These are not opportunistic Smash-et-Grab attacks-it is deliberate and geosics campaigns that erude the value of traditional IOCs (compromise indicators).”
With 162 distinct intrusion sets already mapped, the structure of the operation suggests clear intention and segmentation.
What is particularly disturbing is the usurpation of legitimate security references.
Malware manufactures TLS certificates that seek to sign by the Los Angeles police service.
This counterfeit, combined with the emission of geolocation certificate and assigned ports, makes it extremely difficult for conventional detection systems to report malicious behavior.
Even the best tools for protecting end points would be challenged to identify as well disguised intrusions, especially when activity is transported by compromised domestic routers rather than business assets.
SecurityScorecard compares the lapdogs with polardge, another orb system linked to China, but stresses that the two are distinct in infrastructure and execution.
The broader concern raised is the expanding vulnerability landscape. As companies are based more on decentralized devices and do not update integrated firmware, the risk of persistent spying increases.
The report calls for network defenders and ISPs to examine the devices in their supply chains.
SecurityScorecard compares the lapdogs with polardge, another orb system linked to China, but stresses that the two are distinct in infrastructure and execution.
The broader concern raised is the expanding vulnerability landscape. As companies are based more on decentralized devices and do not update integrated firmware, the risk of persistent spying increases.
The report calls for network defenders and ISPs to examine the devices in their supply chains.
This means that it is necessary to reconsider reactive solutions and to focus on more proactive infrastructure level measures, such as the best deployments of FWAAS solutions and the best ZTNA.
You might also love
