A majority of China-linked threat actors are using compromised routers and IoT devices worldwide, turning this gear into proxy networks to carry out further intrusions, steal sensitive data, and disrupt victim organizations’ operations, according to a joint 10-country advisory.
"Anyone who is a target of China-nexus cyber actors may be impacted by the use of covert networks," the security advisory warned. It was jointly released by the UK National Cyber Security Centre (NCSC) and 15 other government agencies from the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden.
"The use of covert networks of compromised devices - also known as botnets - to facilitate malicious cyber activity is not new, but China-nexus cyber actors are now using them strategically, and at scale," according to the alert.
Some of these covert networks are created and maintained by Chinese information security companies, the advisory says. For example, China's Integrity Technology Group controlled and managed the so-called Raptor Train network, which in 2024 infected more than 200,000 devices worldwide, including small office home office (SOHO) routers, internet-connected web cameras and video recorders, plus firewalls and network-attached storage (NAS) devices.
The FBI previously assessed Integrity Technology Group to be responsible for computer intrusion activity attributed to Flax Typhoon.
All the other Typhoons, we're told, also use these covert networks for their infrastructure - sometimes multiple China-linked groups use a single covert network. Volt Typhoon, the PRC-backed crew that the feds say burrowed deep into critical US networks to preposition for future destructive attacks, built its KV Botnet using mostly end-of-life Cisco and Netgear routers.
Because the number of these covert networks is so large, with new botnets regularly developed and deployed and existing ones shutting down, sometimes because of law enforcement disruption efforts, "a description of all known covert networks in detail, including how they are constructed and how they communicate, would immediately be out of date - and for most network defenders would not be practically useful," the agencies say.
However, there are steps that defenders can take to combat this threat.
"All organizations should map and baseline their edge device traffic, especially VPN and remote access connections, and adopt dynamic threat feed filtering that includes known covert network indicators," the NCSC advises.
Additionally, implement multi-factor authentication for remote access along with zero-trust security controls, IP allow lists, and machine certificate verification, if possible.
The governments also suggest large and high-risk organizations consider proactively hunting suspicious SOHO and IoT traffic, using geographic profiling, and machine learning based anomaly detection.
It’s also worth noting that financially motivated cyber crews also co-opt routers and other connected devices to disguise their criminal activities.
Just last month, the FBI spoke exclusively to The Register about its work with cops from eight other countries to disrupt SocksEscort, a residential proxy service used to compromise hundreds of thousands of routers worldwide and carry out digital fraud, costing businesses and consumers millions. ®