"Anyone who is a target of China‑nexus cyber actors may be impacted by the use of covert networks," the joint advisory warned — a blunt opening to a bulletin that lays out a sprawling, global problem in compact terms.
China‑nexus cyber actors' covert networks: scope and purpose
A majority of China‑linked threat actors are using compromised routers and internet‑connected devices worldwide to build covert networks — botnets — that operate as proxy layers for further attacks, theft of sensitive data, and disruption of victim organizations’ operations, according to a joint advisory released by the UK National Cyber Security Centre (NCSC) and 15 other government agencies from the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden.
The advisory emphasises that the tactic is not new but that China‑nexus actors are "now using them strategically, and at scale." That scale and strategic use turns otherwise mundane consumer and small‑office gear into the plumbing of larger operations: a global pool of proxy devices that hides actor identity, amplifies access, and complicates network defence.
Integrity Technology Group and the Raptor Train example
The advisory names China's Integrity Technology Group as controlling and managing one such covert network: the so‑called Raptor Train. In 2024 Raptor Train infected more than 200,000 devices worldwide, the advisory states, including small office/home office (SOHO) routers, internet‑connected web cameras and video recorders, plus firewalls and network‑attached storage (NAS) devices.
The FBI previously assessed Integrity Technology Group to be responsible for computer intrusion activity attributed to a group labelled Flax Typhoon, the advisory notes, linking commercial actors, covert networks, and state‑attributed campaigns in a single thread.
Volt Typhoon, the KV Botnet, and shared infrastructure
The advisory paints a picture of shared and reused infrastructure: sometimes multiple China‑linked groups use a single covert network. It cites Volt Typhoon — described in the advisory as "the PRC‑backed crew that the feds say burrowed deep into critical US networks to preposition for future destructive attacks" — as having built the KV Botnet primarily from end‑of‑life Cisco and Netgear routers.
That detail underlines two operational realities flagged by the advisory: attackers will leverage aging, unpatched devices, and individual covert networks can be re‑purposed by different threat actors for distinct aims, from espionage to prepositioning for destructive operations.
NCSC and partner governments’ practical defensive prescriptions
Because covert networks are numerous, transient, and rapidly evolving, the advisory warns that "a description of all known covert networks in detail... would immediately be out of date — and for most network defenders would not be practically useful." Instead, it prescribes concrete controls defenders can implement now.
- Map and baseline edge device traffic, with particular attention to VPN and remote access connections.
- Adopt dynamic threat feed filtering that includes known covert network indicators.
- Implement multi‑factor authentication for remote access, zero‑trust security controls, IP allow lists, and machine certificate verification where possible.
- For large and high‑risk organisations: proactively hunt for suspicious SOHO and IoT traffic, use geographic profiling, and apply machine‑learning based anomaly detection.
The advisory also highlights that financially motivated cyber crews use the same techniques — the FBI recently worked with law enforcement in eight other countries to disrupt SocksEscort, a residential proxy service blamed for compromising hundreds of thousands of routers and enabling digital fraud that cost businesses and consumers millions.
What this means for technologists, policymakers, enterprises, and consumers
- Technologists and security teams: Prioritise mapping and baselining of edge traffic, deploy dynamic threat feeds, hunt for anomalous SOHO/IoT behaviour, and harden remote access with MFA and machine certificates as the advisory recommends.
- Policymakers and regulators: The advisory reframes the problem as both a national‑security and an infrastructure integrity issue, underscoring the need to address end‑of‑life device ecosystems that actors like Volt Typhoon exploit.
- Enterprises and procurement leaders: Expect recommendations to push for strict allow‑listing, zero‑trust controls, and supplier scrutiny for devices that sit at the network edge — especially routers and consumer‑grade network gear.
- Consumers and small offices: Devices such as SOHO routers, web cameras, and NAS appliances can be co‑opted into large covert networks; basic hardening and timely replacement of end‑of‑life equipment are direct risk‑reduction steps implied by the advisory.
The advisory’s central tension is practical: the covert networks are many, fluid, and reused by different actors, so detailed catalogues will quickly go stale. The governments behind the advisory therefore push defenders to change what they control — access, authentication, monitoring, and filtering — rather than trying to chase every new botnet by name.
For organisations and individuals, the message is unambiguous and operational: map your edge, authenticate and filter access rigorously, hunt for anomalous routed traffic, and treat commodity devices as potential infrastructure for larger campaigns. The advisory leaves the hard, ongoing work to defenders worldwide — and the simple but difficult task of keeping edge devices out of the hands of covert networks.
