China-linked threat actors have shifted from individually procured infrastructure to large-scale covert networks, botnets built from compromised routers and other edge devices, the National Cyber Security Centre (NCSC) warns.
To help organizations address this threat, the NCSC, together with the Cyber League and partner agencies, has issued an advisory.
The advisory includes guidance for organizations of all sizes, urging them to map and baseline traffic from edge devices, particularly VPN and remote access connections, and to adopt dynamic threat feed filtering that incorporates known covert network indicators.
The NCSC believes that most China-nexus groups rely on these so-called covert networks. Multiple networks have been created and are continuously updated, and a single network may be used by several groups at the same time. These networks are largely built from small office/home office (SOHO) routers, along with IoT and smart devices.
“The number of covert networks used by China-nexus cyber actors is large, with new networks regularly developed and deployed. The existing covert networks change too, either because of defensive or legal action, or simply as a result of software updates and new exploits being used to target different technologies for incorporation into the network,” NCSC said.
According to the agencies, these networks are created and maintained externally by Chinese information security companies.
In September 2024, the NCSC, alongside international partners, called out China-based Integrity Technology Group for controlling and managing a botnet used by Flax Typhoon, a Chinese state-sponsored threat actor.
The company was later sanctioned by the EU Council for its role in cyberattacks that compromised more than 65,000 devices across six EU member states.
“Our new joint advisory consolidates insights and proactive advice from across the international cyber security community to help network defenders combat the use of covert networks,” noted Paul Chichester, NCSC Director of Operations.
“In recent years, we have seen a deliberate shift in cyber groups based in China utilising these networks to hide their malicious activity in an attempt to avoid accountability,” added Chichester.
“Defending against attackers using covert networks is not straightforward,” the NCSC stated, adding that defensive tactics will vary depending on the level of resources and the nature of the target organization.
