Threat IntelligenceEmerging Threats

China Builds Covert Hacker Networks with Compromised Routers

Analyst 207||Source: CyberScoop
Cluttered server room with stacked routers, cables, and wires in dim light.

“Over the past few years there has been a major shift in the tactics, techniques and procedures (TTPs) used by China-nexus cyber actors, moving away from the use of individually procured infrastructure, and towards the use of externally provisioned, large-scale networks of compromised devices,” the advisory states.

Allied agencies behind the advisory

The warning was published jointly by the U.K. National Cyber Security Centre (NCSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. National Security Agency (NSA), the FBI and partner agencies from Australia, Canada, Germany, the Netherlands, New Zealand, Japan, Spain and Sweden. The group described a “widespread shift” in methods used by “China‑nexus cyber actors.”

What the advisory says about covert networks

The agencies lay out a move away from individually procured command-and-control infrastructure toward “externally provisioned, large-scale networks of compromised devices.” These covert networks are described as primarily composed of compromised Small Office/Home Office (SOHO) routers, Internet of Things (IoT) and smart devices. The advisory notes that “multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors.”

According to the agencies, covert networks are used to “connect across the internet in a low-cost, low-risk, deniable way, disguising the origin and attribution of malicious activity.” The advisory also asserts that Chinese information security companies create and support the networks, evidence suggests.

Tactics, tools, and examples: Volt Typhoon, Flax Typhoon, and Raptor Train

The agencies link covert networks to a range of malicious objectives, including reconnaissance, malware delivery and information theft. They cite named activity groups as examples: Volt Typhoon is described as using such techniques to pre-position on U.S. critical infrastructure, while Flax Typhoon is cited in connection with cyber espionage.

The advisory provides a concrete illustration of scale: the botnet Raptor Train is identified as “an example of a covert network,” and is said to have infected 200,000 devices worldwide. The agencies emphasize that these networks are large, constantly evolving, and that new covert networks are being developed constantly.

Recommended defenses: active hunting, mapping, and blocklists

The advisory warns defenses are not “straightforward,” but it lists mitigation steps rooted in established cyber hygiene. For most organizations the guidance points toward an “assortment of common good cybersecurity practices.” For the largest and most at‑risk organizations, the agencies recommend active measures: “engage in active hunting, tracking and mapping covert networks, using threat reporting to create blocklists and more.”

CISA Acting Director Nick Andersen framed the advisory as part of an ongoing effort: “Working closely with U.S. and international partners, CISA continues to identify and warn organizations of Chinese state-sponsored cyber actors threatening critical infrastructure.” He added, “This advisory informs organizations of how these actors are strategically using numerous, evolving covert networks at scale for malicious cyber activity.”

What this means for security teams, critical‑infrastructure operators, and device vendors

  • Security teams: The advisory directs the largest, most at-risk teams toward proactive threat hunting and mapping of covert networks, and toward creating blocklists informed by threat reporting.
  • Critical‑infrastructure operators: The agencies cite pre-positioning on critical infrastructure—specifically naming activity by Volt Typhoon—highlighting the need for operators to incorporate detection for lateral use of compromised SOHO routers and IoT devices.
  • Device vendors and small‑network administrators: Because covert networks are said to rely heavily on compromised SOHO routers and IoT and smart devices, the advisory implicitly underscores exposure in commonly deployed consumer and small-business equipment.

At a speech this week, NCSC CEO Richard Horne went further in tone if not in technical detail: “we know that China’s intelligence and military agencies now display an eye-watering level of sophistication in their cyber operations.” That assessment, paired with the advisory’s examples and the 200,000‑device footprint of Raptor Train, paints a picture of persistent, scalable abuse of everyday hardware.

The agencies’ message is plain and precise: covert networks built from compromised routers and consumer devices provide cheap, deniable infrastructure that can be reused, refreshed and shared among actors. The advisory’s prescription — more active hunting, mapping and coordinated blocking — marks the next operational step the agencies are urging organizations to take.

https://cyberscoop.com/china-nexus-covert-networks-advisory/

Cyber EspionageEmerging ThreatsGeopoliticsNation-StateNational SecurityNcscSupply ChainMFA Bypass Is Not Relevant HereChina-NexusCovert NetworksCompromised RoutersBut - CISA
Related Intelligence

Continue Reading

Cluttered office desk with desktop computer showing WhatsApp notification, surrounded by financial papers and documents.

WhatsApp Phishing Attack Exploits Business Docs to Hack PCs Globally

Beware of WhatsApp messages from familiar contacts with suspicious attachments - they might be part of a global phishing attack that's spreading rapidly across 11 countries, disguising malware as legitimate business documents. These cunning messages contain hidden threats that can hijack your PC, all thanks to a simple click on a malicious file.

Analyst 207

Attacker Exploits JaredFromSubway MEV Bot in $15 Million Crypto Heist

In a shocking crypto heist, an attacker swiped a whopping $15 million from JaredFromSubway's MEV bot by cleverly manipulating its logic with fake pools and tokens. The attacker tricked the bot into granting access to helper contracts, ultimately draining $15 million in WETH, USDC, and USDT.

Analyst 207
Modern office setting with computer servers and symbolic breach objects.

Icarus Hack Exposes Hundreds of Firms in Supply-Chain Breach

On June 11, a massive supply chain breach occurred when hackers exploited a weak link at Klue, a market intelligence provider used by over 250,000 companies worldwide, gaining access to sensitive data across hundreds of firms. The attackers used a compromised legacy credential to obtain OAuth tokens and infiltrate connected customer environments.

Analyst 207
Rack-mounted networking equipment, including a prominent FortiGate device, in a brightly-lit network operations center.

FortiBleed Campaign Exploits FortiGate Devices to Harvest Credentials

A massive cyber operation, known as FortiBleed, has been secretly targeting over 430,000 FortiGate firewalls worldwide since February 2026, allowing hackers to harvest and crack sensitive VPN and authentication credentials on a huge scale. This alarming campaign has enabled large-scale credential harvesting, putting countless online security systems at risk.

Analyst 207