A Coordinated International Warning
A coalition of twelve government cybersecurity agencies from the United States and allied nations issued a joint advisory on Thursday, raising the alarm about what they describe as a "widespread shift" in the tactics, techniques, and procedures (TTPs) employed by China-nexus cyber actors. Rather than relying on individually acquired infrastructure, these actors have pivoted toward exploiting large-scale networks of compromised consumer and commercial devices to conduct a broad range of malicious operations.
The advisory was signed by agencies including the U.K. National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the FBI, and partner organizations from Australia, Canada, Germany, the Netherlands, New Zealand, Japan, Spain, and Sweden.
What the Advisory Says
The document outlines a clear operational evolution among Chinese state-affiliated hackers. As the advisory states directly:
"Over the past few years there has been a major shift in the tactics, techniques and procedures (TTPs) used by China-nexus cyber actors, moving away from the use of individually procured infrastructure, and towards the use of externally provisioned, large-scale networks of compromised devices."
The advisory further notes that multiple covert networks have been created and are being constantly updated, and that a single covert network could simultaneously be in use by more than one threat actor. These networks are predominantly composed of compromised Small Office Home Office (SOHO) routers, alongside Internet of Things (IoT) devices and smart home equipment.
How These Networks Are Used
According to the agencies, covert networks serve as a low-cost, low-risk mechanism for threat actors to route their malicious internet traffic, effectively obscuring the true origin and attribution of their attacks. The advisory states the networks are used to "connect across the internet in a low-cost, low-risk, deniable way, disguising the origin and attribution of malicious activity."
Operationally, the networks are leveraged for a range of activities, including:
- Reconnaissance against target organizations and infrastructure
- Malware delivery to victim systems
- Data theft and cyber espionage operations
Evidence gathered by the agencies suggests that Chinese information security companies are responsible for creating and maintaining these networks on behalf of state-affiliated hackers.
Familiar Threat Actors, Escalating Scale
The advisory highlights specific well-documented threat groups as examples of actors using these covert networks in practice. The group known as Volt Typhoon has leveraged such infrastructure to pre-position itself on U.S. critical infrastructure, while Flax Typhoon has used similar networks to conduct targeted cyber espionage campaigns.
One notable example of such a covert network is Raptor Train, a botnet that successfully infected 200,000 devices worldwide. The advisory emphasizes that these networks are not static — they are large, continuously evolving, and new ones are being developed on an ongoing basis, making detection and disruption a persistent challenge for defenders.
Industry and Government Voices React
The advisory coincided with public remarks from NCSC CEO Richard Horne, who addressed the growing sophistication of Chinese cyber operations during a speech this week. Horne stated that "China's intelligence and military agencies now display an eye-watering level of sophistication in their cyber operations."
CISA Acting Director Nick Andersen also weighed in on Thursday, emphasizing the agency's collaborative posture: "Working closely with U.S. and international partners, CISA continues to identify and warn organizations of Chinese state-sponsored cyber actors threatening critical infrastructure. This advisory informs organizations of how these actors are strategically using numerous, evolving covert networks at scale for malicious cyber activity."
Defensive Guidance for Organizations
The advisory acknowledges that defending against covert networks is not "straightforward," but it does offer a range of recommendations grounded in established cybersecurity best practices. For the largest and highest-risk organizations, the guidance goes further, recommending active engagement in:
- Hunting, tracking, and mapping known covert networks
- Using threat intelligence reporting to build and maintain blocklists
- Applying common good cybersecurity hygiene practices across all network-connected devices, with particular attention to SOHO routers and IoT equipment
The breadth of the international coalition behind this advisory signals the seriousness with which Western governments are treating the threat. As Chinese-affiliated actors continue to scale and refine their use of compromised consumer infrastructure, organizations across all sectors — particularly those operating critical infrastructure — are urged to review the advisory and take its defensive recommendations seriously.
Source: CyberScoop