China Linked Threat Actors Exploit Ruckus Routers to Build Covert Operational Relay Networks

Cybersecurity researchers have uncovered a sophisticated campaign in which China linked threat actors are exploiting vulnerable Ruckus wireless routers to create Operational Relay Box (ORB) networks. These compromised networking devices are being used to mask attacker infrastructure, relay malicious traffic, and support long term cyber espionage operations.

The campaign highlights a growing trend where attackers target internet facing network devices instead of traditional endpoints, allowing them to establish resilient infrastructure while making attribution and detection significantly more difficult.

Understanding Operational Relay Box Networks

Operational Relay Box (ORB) networks consist of compromised internet connected devices that attackers use as intermediate communication nodes during cyber operations.

Rather than launching attacks directly from attacker controlled infrastructure, threat actors route their malicious traffic through compromised routers and networking devices. This approach helps them:

  • Conceal the true origin of attacks
  • Evade traditional security monitoring
  • Maintain persistent infrastructure
  • Support espionage campaigns
  • Relay command and control communications
  • Launch additional attacks against downstream targets

Compromised networking equipment becomes part of a hidden infrastructure that supports multiple cyber operations over extended periods.

Why Routers Are Increasingly Targeted

Routers often receive less security attention than servers and workstations, despite being critical components of enterprise infrastructure.

Attackers frequently target routers because they:

  • Operate continuously with internet connectivity
  • Are often overlooked during security monitoring
  • May run outdated firmware
  • Can provide long term persistence
  • Allow attackers to route traffic without raising immediate suspicion

Once compromised, routers can become valuable assets for supporting covert cyber campaigns.

Risks to Organizations

A compromised networking device can expose organizations to numerous security risks beyond unauthorized access.

Potential impacts include:

  • Hidden attacker communication channels
  • Network reconnaissance
  • Credential theft
  • Traffic interception
  • Lateral movement across enterprise environments
  • Data exfiltration
  • Increased exposure to future attacks
  • Loss of visibility into malicious activity

Because routers occupy a central position within enterprise networks, compromise can significantly increase organizational risk.

Strengthening Network Infrastructure Security

Organizations should implement a comprehensive security strategy to protect network infrastructure from sophisticated attacks.

Recommended security measures include:

  • Regularly update router firmware with vendor security patches.
  • Disable unnecessary remote management services.
  • Change default administrative credentials immediately after deployment.
  • Implement Multi-Factor Authentication for administrative access where supported.
  • Continuously monitor network devices for unusual activity.
  • Segment critical infrastructure from user networks.
  • Conduct routine vulnerability assessments of networking equipment.
  • Maintain detailed asset inventories of internet facing devices.
  • Enable centralized logging and integrate network devices with SIEM platforms.
  • Perform regular penetration testing to identify exploitable weaknesses.

Proactive monitoring and timely patch management remain essential for reducing the attack surface.

Industries Most at Risk

Campaigns targeting networking infrastructure can affect organizations across multiple sectors, particularly those managing distributed networks and critical operations.

Industries that should prioritize network infrastructure security include:

  • Government and Public Sector
  • Financial Services
  • Healthcare
  • Manufacturing
  • Retail
  • Telecommunications
  • Energy and Utilities
  • Critical Infrastructure Operators
  • Technology Companies
  • Cloud Service Providers
  • Education
  • Transportation and Logistics

These industries rely heavily on secure networking infrastructure to support essential operations and protect sensitive information.

Conclusion

The exploitation of Ruckus routers to build Operational Relay Box networks demonstrates how cyber threat actors continue to shift their focus toward overlooked infrastructure components. Network devices are no longer simply communication tools. They have become strategic assets for advanced cyber operations.

Organizations must extend their cybersecurity programs beyond endpoints by securing routers, firewalls, switches, and other networking equipment through continuous monitoring, vulnerability management, and proactive threat detection. A strong infrastructure security strategy is critical to defending against sophisticated espionage campaigns and protecting business operations.

About COE Security

COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance.

Our offerings include:

  • AI-enhanced threat detection and real-time monitoring
  • Data governance aligned with GDPR, HIPAA, and PCI DSS
  • Secure model validation to guard against adversarial attacks
  • Customized training to embed AI security best practices
  • Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
  • Secure Software Development Consulting (SSDLC)
  • Customized CyberSecurity Services

To help organizations defend against infrastructure-focused cyber campaigns such as this, COE Security also provides:

  • Advanced Threat Detection and 24/7 Security Operations Center (SOC) monitoring
  • Network Security Assessments and secure network architecture reviews
  • Penetration Testing for Network, Cloud, IoT, Mobile, Web, AI, and Product environments
  • Vulnerability Assessments for internet facing infrastructure and network devices
  • Threat Hunting to identify indicators of compromise and unauthorized network activity
  • Incident Response and Digital Forensics to investigate and contain advanced attacks
  • Zero Trust security implementation to minimize lateral movement within enterprise environments
  • Security hardening for routers, firewalls, wireless infrastructure, and other critical network assets
  • Compliance consulting to help organizations strengthen security while meeting GDPR, HIPAA, PCI DSS, and industry specific regulatory requirements

Follow COE Security on LinkedIn for ongoing insights into safe, compliant AI adoption, emerging cyber threats, and practical cybersecurity strategies to help your organization stay secure, resilient, compliant, and cyber safe.

Click to read our LinkedIn feature article