Global cybersecurity agencies sounded the alarm on Chinese government-linked hackers quietly building and maintaining hidden networks of hijacked devices to conduct covert operations. In an advisory titled ‘Defending Against China-Nexus Covert Networks of Compromised Devices, ’ the National Cyber Security Centre (NCSC-UK) believes most China-nexus threat actors are already leveraging these networks, that several are actively running in parallel and continuously evolving, and that a single network may be shared across multiple actor groups simultaneously.
At the center of the warning lies the backbone of these networks, made of small office and home office (SOHO) routers, along with everyday IoT and smart devices sitting in homes and businesses worldwide, largely unmonitored and unprotected. The advisory recognizes that China-nexus cyber actors have moved from using individually procured infrastructure to operating large-scale ‘covert networks,’ essentially botnets built from compromised routers, and other edge devices. It also sets out practical steps for network defenders to counter what is becoming a more coordinated and sophisticated threat.
“These networks are used for each phase of the Cyber Kill Chain, from reconnaissance and malware delivery, to command and control and data exfiltration against targets of espionage and offensive cyber operations,” the advisory warns. “The threat is a dynamic, low-cost, deniable infrastructure model that can be rapidly re-shaped, rendering traditional static IP block lists ineffective.”
“Working closely with U.S. and international partners, CISA continues to identify and warn organizations of Chinese state-sponsored cyber actors threatening critical infrastructure. This advisory informs organizations of how these actors are strategically using numerous, evolving covert networks at scale for malicious cyber activity,” Nick Andersen, CISA acting director, wrote in a media statement. “CISA strongly encourages organizations to review and implement appropriate mitigation measures to defend their devices from this threat. Every day, CISA works to empower organizations with actionable information to strengthen their security and resilience against cyber threats.”
With support from the U.K. Cyber League, the advisory was jointly released by the NCSC-UK with several international partners. These include the Australian Signals Directorate’s Australian Cyber Security Centre, the Communications Security Establishment Canada’s Canadian Centre for Cyber Security, Germany’s Federal Office for the Protection of the Constitution, the Federal Intelligence Service, and the Federal Office for Information Security.
Additional contributors include Japan’s National Cybersecurity Office, the Netherlands’ General Intelligence and Security Service and Defence Intelligence and Security Service, New Zealand’s National Cyber Security Centre, Spain’s National Cryptologic Centre, and Sweden’s National Cyber Security Centre. The U.S. was represented by the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense Cyber Crime Center, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA).
Covert networks give threat actors a cheap, deniable way to hide their origins online. Used across every stage of an attack, from reconnaissance and malware delivery to data exfiltration, and even for anonymous research into new targets and techniques, they make detection harder because legitimate users share some of these same networks, muddying attribution efforts.
“There is evidence that covert networks used by China-nexus actors are created and maintained by Chinese information security companies,” the advisory highlighted. “A network known to network defenders as Raptor Train, which in 2024 infected more than 200,000 devices worldwide, was controlled and managed by the Chinese company, Integrity Technology Group. This company was also assessed by the FBI to be responsible for the computer intrusion activities attributed to China-based hackers known as Flax Typhoon.”
It added that “The KV Botnet used by Volt Typhoon was mainly made up of vulnerable Cisco and NetGear routers. The edge devices were vulnerable because they were ‘end of life,’ out of date, and no longer receiving updates or security patches by their manufacturers.”
The advisory noted that the threat is well-documented, but defenders are struggling to keep up. In a May 2024 blog, Mandiant Intelligence flagged a critical problem covering IOC Extinction. When a threat group can route through any of several covert networks, each with hundreds of thousands of endpoints, shared across multiple actors, while static IP blocklists become largely ineffective. The problem compounds as networks continuously refresh, cycling in new compromised devices as old ones are patched or taken offline.
The advisory added that the number of covert networks used by China-nexus cyber actors is large, with new networks regularly developed and deployed. “The existing covert networks change too, either because of defensive or legal action, or simply as a result of software updates and new exploits being used to target different technologies for incorporation into the network.”
It noted that because of this, a description of all known covert networks in detail, including how they are constructed and how they communicate, would immediately be out of date, and for most network defenders would not be practically useful.
“However, most covert networks of compromised devices use the same basic set up,” according to the advisory. “Understanding this generalized structure can aid researchers and defenders by helping them to understand which part of a network they may have found, and how to defend against it.”
Defending against attackers who rely on covert networks is not straightforward. The right response will vary depending on an organization’s resources and the nature of its operations, but baseline cyber hygiene remains essential.
The advisory points to broader good practice guidance and directs organizations to further resources available through the NCSC. It also outlines more targeted steps to reduce the risk posed by large, dynamic networks of compromised devices.
Organizations are urged to build a clear picture of their network edge, identifying what assets exist and what should legitimately connect to them. Establishing a baseline of normal activity is critical, particularly for services such as corporate VPNs, so that unusual patterns, including connections originating from consumer broadband ranges, can be identified and investigated.
Defenders must make use of dynamic threat intelligence feeds that track covert network infrastructure, helping to spot emerging risks in real time. Strengthening access controls is another priority, with multifactor authentication recommended for all remote connections to limit unauthorized access.
Cyber defenders are provided with comprehensive guidance to identify, baseline, and mitigate activity from dynamic and deniable covert networks, aimed at reducing the risk of organizational compromise.
To strengthen defenses, CISA and partners advise organizations to map and understand network edge devices, developing a clear understanding of organizational assets and what should be connected to them; baseline normal connections, especially to corporate VPNs or other similar services; maintain log collection and storage solutions to assist with detecting and responding to unauthorized access attempts; and implement multifactor authentication for remote connections.
For U.K. organizations, the guidance should be applied alongside relevant legal and regulatory requirements related to network and data security. Responsibility for compliance remains with each organization, and the advisory makes clear that even when these measures are followed, they will not eliminate all risk.
For larger or higher-risk organizations, more advanced measures may be necessary, either managed internally or through a security provider. These include tightening access controls by applying IP address allow lists rather than deny lists for corporate VPN connections, and refining access policies through geographic filtering or by profiling incoming connections based on factors such as operating systems, time zones, and organization-specific configurations.
Moving toward a zero trust model is also recommended, alongside enforcing machine certificates for SSL connections to strengthen authentication. Reducing the overall internet-facing footprint of IT systems can limit exposure, while machine learning techniques may help establish patterns of normal network edge activity and flag anomalies more effectively. The NCSC’s Cyber Essentials framework is positioned as a baseline that can support organizations of all sizes in strengthening their defenses.
For the largest or most at-risk organizations, particularly those with advanced threat tracking capabilities, the guidance goes further. Covert networks linked to China should be treated as advanced persistent threats in their own right, with dedicated tracking and analysis. Active threat hunting is encouraged, focusing on identifying connections from IP addresses associated with compromised SOHO routers or IoT devices.
Organizations should also track and map covert networks identified by industry or government sources by analyzing indicators such as banners and digital certificates. Threat intelligence feeds can be used to build dynamic blocklists and alerting mechanisms to detect incoming threats in real time.
In addition, NetFlow data can provide upstream visibility, helping map these covert networks and uncover new nodes. For organizations operating under the highest levels of risk, including those delivering essential services across sectors such as energy, healthcare, transport, digital infrastructure, and government, the NCSC Cyber Assessment Framework offers more comprehensive guidance.
All rights reserved | Terms and Conditions
Privacy Policy | Cookie Policy
Cybersecurity agencies flags use of covert networks by China-linked actors for espionage, offensive operations – Industrial Cyber
Leave a Comment
