Analysis Summary

A China-linked advanced persistent threat (APT) group identified as UAT-5918 has been operating a covert espionage campaign named LapDogs, according to a report by researchers. The group has created a stealthy Operational Relay Boxes (ORB) network comprising over 1,000 backdoored nodes to support long-term cyber-espionage operations.

The LapDogs campaign, which began around September 2023, targets organizations across industries such as IT, media, networking, real estate, and more in the U.S., Japan, South Korea, Hong Kong, Taiwan, and other Southeast Asian regions. The group primarily compromises SOHO routers, infecting them with a custom backdoor called ShortLeash, designed for stealthy, persistent access. Each compromised device can generate self-signed TLS certificates spoofing the Los Angeles Police Department (LAPD), a tactic used for deception and evasion.

The primary targets for exploitation are Ruckus Wireless access points and Buffalo Technology AirStation routers, both running outdated and vulnerable SSH services. These devices were found to be susceptible to CVE-2015-1548 and CVE-2017-17663. Attacks are conducted in small batches, infecting up to 60 devices per wave, to avoid detection.

LapDogs shares operational similarities with PolarEdge, another ORB network of over 2,000 compromised IoT devices, although the two are considered distinct efforts. Both use hijacked devices for infrastructure rather than for launching direct attacks, allowing them to maintain a low profile while supporting malicious activities.

UAT-5918 has been previously associated with Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit by Cisco Talos. In its operations, the group exploits known vulnerabilities for initial access, steals credentials for lateral movement, and leverages web shells and open-source tools for persistence and post-compromise activities.

Impact

• Cyber Espionage
• Network Compromise
• Unauthorized Access

Indicators of Compromise

SHA1

• f92c4482ce47b02f1f9017283ad032710aee8d4f

• b9e578217f2b40f846688fd0db0f8330d25c3820

Remediation

• Replace outdated and unsupported SOHO routers and access points with secure, up-to-date models
• Apply the latest firmware updates and patches, especially addressing CVE-2015-1548 and CVE-2017-17663
• Disable unused services such as SSH or restrict access using strong authentication and network controls
• Monitor network traffic for unusual patterns or unauthorized TLS certificate usage
• Deploy intrusion detection systems (IDS) capable of spotting beaconing or anomalous behavior
• Segment networks to limit lateral movement from compromised devices
• Conduct regular credential audits and enforce multi-factor authentication (MFA)
• Remove or isolate devices showing signs of compromise from critical infrastructure
• Perform continuous asset discovery and vulnerability assessments for all connected devices
• Implement certificate monitoring tools to detect unauthorized or spoofed certificate issuance