This week, the UK’s National Cyber Security Centre (NCSC-UK), in concert with cybersecurity agencies in the US and other countries, warned of China-nexus threat actors increasingly using covert networks of compromised routers, IoT, and smart devices to facilitate attacks against US organizations.
Evidence suggests that Chinese information security companies are systematically creating and maintaining many of these botnets, which are often composed of small office and home office (SOHO) routers.
Chinese threat groups like Flax Typhoon and Volt Typhoon have then been using these networks to conduct reconnaissance, deliver and communicate with malware, and to exfiltrate data in a “low-cost, low-risk, deniable way,” the joint advisory noted.
“They can also be used for general deniable Internet browsing, allowing threat actors to research exploitation techniques, new TTPs, and their victims, without attribution,” the agencies said. “Some covert networks are also used by legitimate customers to browse the Internet, making it challenging to attribute malicious activity.”
The advisory goes on to add that threat actor use of botnets to carry out attacks is not new. What has changed however, is that China-affiliated threat groups are now using them strategically and at a scale previously unseen.
According to the UK’s National Cyber Security Centre (NCSC-UK), China-backed actors have created numerous botnets that they are constantly updating and keeping in a state of readiness for use by the country’s state backed threat groups. In addition to constantly adding new covert networks to the pool, the creators and maintainers of these botnets are also constantly changing them in response to defensive or legal actions. Confounding matters is the fact that multiple China-nexus threat groups might use the same botnet at the same time, making it hard for defenders to identify and block them.
Network defense approaches, like using static malicious IP blocks, are not effective when a particular threat act could from any one of many covert networks, “each with potentially hundreds of thousands of endpoints, and each used by multiple threat actors,” the advisory said. “This is compounded by the dynamic nature of these networks where new nodes will be added as old devices are patched or removed from use.”
Botnets of Mostly SOHO Routers
Most of the covert botnets that Chinese actors are using consist of compromised SOHO routers. But they can also include other vulnerable edge technologies such as IoT devices, web cameras, video recorders, end of life routers, firewalls, and network attached storage devices.
“CISA and its partners are calling out a trend that’s been building for years: the industrialization of botnets,” says Matthew Hartman, chief strategy officer at Merlin Group. “Chinese actors are likely leveraging a division of labor, with some groups compromising and maintaining large pools of SOHO routers and consumer IoT devices, then handing off or leasing that access for operations. That model increases both scale and plausible deniability.”
Hartman says the timing of the advisory likely has more to do with the volume and maturity of botnet use by Chinese threat actors rather than with newness. “Russian and Iranian groups have used similar tactics, but the scale and tempo of Chinese operations are what set this apart and justify a coordinated advisory,” he says.
Bradley Smith, senior vice president and deputy CISO at BeyondTrust, said the operational model that China-backed threat groups have taken mirrors that of initial access brokers in the cybercriminal ecosystem. The main difference here, is that the activity is state backed. “Chinese cyber operations have adopted a supply-chain model for offensive infrastructure: dedicated teams or contracted entities compromise and maintain large pools of SOHO routers, IoT devices, and edge equipment, then provision access to specific operational units based on mission requirements,” he says. Specialization at each stage — compromise, curation, provisioning, operational use — makes attribution harder and takedown less effective. “Removing one operational user does not affect the underlying infrastructure pool,” he points out.
The approach works, he says, because the kind of SOHO devices and consumer-grade technologies that the attackers are targeting share the same structural vulnerabilities: default credentials, infrequent patching, no centralized management, and owners who do not know their devices are Internet-reachable. In fact, concerns that foreign-made routers might deliberately include these weaknesses — almost all SOHO and consumer-grade routers in the US fall under this category — prompted the US government to recently ban the import of new models of routers made outside the US
The NCSC and other cyber agencies who issued this week’s advisory recommend that organizations develop a clear picture of their network edge devices and all the assets that should be connecting with them. Organizations should baseline normal connections, like those from corporate VPNs, while looking out for unusual connections like one from a consumer broadband range.
Larger organizations should consider building geographic IP allow lists, profiling incoming connections based on factors like operating system, time zones and configuration settings, and also implementing zero-trust policies for incoming connections. Organizations most at risk should consider actively tracking the activities of China-nexus APTs, conduct threat hunting, and track and map covert networks that industry or government threat intelligence sources might report on.
It’s important also for organizations not to think of the threat as coming purely from nation-state backed groups, says John Gallagher, vice president of Viakoo Labs at Viakoo. “For years now cyber criminals have been forming and managing botnet armies ‘for hire’; the strong growth of the volume and velocity of DDoS attacks is a direct proxy of how infected IoT devices are,” he says. If not nation state actors, cyber criminals can still profit from a botnet army for purposes like cryptojacking or credential stuffing. “Rather than focus on the ‘who’ — which is likely to be a hybrid of criminal organizations alongside of nation states — organizations should focus on ‘what’ and ‘what to do’,” he advises.
