"We have seen a deliberate shift in cyber groups based in China utilizing these networks to hide their malicious activity in an attempt to avoid accountability," Paul Chichester, director of operations at Britain's National Cyber Security Center, told reporters at the agency's CyberUK conference in Glasgow.
Covert networks built from hacked SOHO and IoT devices
British, U.S. and other national cybersecurity agencies warned that a growing number of Chinese nation-state threat actors now route their communications through compromised edge devices located inside the same country as their intended target. The advisory names the kinds of devices used: small office/home office routers, Internet of Things equipment and smart devices such as web cameras, digital video recorders, firewalls and network-attached storage devices.
Bouncing traffic through a swarm of such devices lets attackers obscure origin points, the agencies said, making tracking, combatting and attributing malicious operations more difficult for defenders.
Flax Typhoon, Volt Typhoon and the marketplace of covert services
The advisory calls out specific users of covert networks. The Chinese nation-state threat actor tracked as Flax Typhoon primarily targets Taiwan, while Volt Typhoon specializes in what the U.S. Cybersecurity and Infrastructure Security Agency (CISA) describes as prepositioning designed to execute "disruptive or destructive cyber activity" against Western critical infrastructure.
Agencies also said covert networks are run by an array of private sector entities in China that provide services to different groups of attackers, including criminal enterprises (see: "US Prosecutors Indict iSoon Chinese Hacking Contractors"). That marketplace model helps multiple threat groups share and refresh nodes inside covert networks.
IoC extinction: why static indicators are losing value
The advisory warns that greater adoption of covert networks "across every stage of an intrusion" has driven a phenomenon the agencies call "IoC extinction." Because covert networks are constantly refreshed and nodes are shared across multiple threat groups, individual indicators of compromise—often tied to specific IP addresses observed late in an intrusion—disappear as quickly as they are discovered, officials said.
"If they're only using that for a week or a month or day, if we share those IoCs, it's much harder for the defenders - the false positive rate goes dramatically up, and they become much weaker indicators of compromise, rather than strong indicators," Chichester told reporters. The advisory also flags traditional geofencing—rejecting log-ins originating from outside a country—as less effective when attackers route traffic through devices physically inside the target country.
NCSC guidance: shift to intelligence-driven, dynamic defenses
In response, the NCSC recommends that organizations of all sizes create baselines of edge-device traffic, including all VPN and remote-access connections, and "adopt dynamic threat feed filtering that includes known covert network indicators." The agency urges, wherever possible, two-factor authentication together with "zero trust controls, IP allow lists and machine certification verification."
For larger and higher-risk organisations, officials suggest active hunting of suspicious SOHO/IoT traffic, geographic profiling and machine learning–based anomaly detection. For critical national infrastructure organizations—and those that must comply with U.K. network and information systems regulations—the NCSC points to its Cyber Assessment Framework, which details best practices for protecting vital services across energy, healthcare, transport, government and other sectors.
The advisory has the backing of cybersecurity agencies across the Five Eyes partnership—Australia, Canada, New Zealand, the United Kingdom and United States—as well as Germany, Japan, the Netherlands, Spain and Sweden.
How technologists, critical infrastructure operators, and policymakers are responding
- Technologists and security teams: Move from static blocks (single IPs) to intelligence-driven operations: continuous baselining of edge-device traffic, real-time threat feeds and active hunting, the NCSC advised.
- Critical national infrastructure organizations: Review controls in the NCSC's Cyber Assessment Framework, adopt zero trust measures, two-factor authentication and consider machine-certification and geographic-profiling approaches to spot covert-node traffic.
- Policymakers and regulators: The cross-national backing of the advisory signals synchronized concern among allied national cybersecurity agencies and underscores the need to incorporate covert-network indicators into regulatory guidance and incident response planning.
The net effect, as the advisory frames it, is to force defenders away from certainty rooted in static indicators and toward agility: real-time intelligence feeds, behavior-focused analytics and proactive hunting. That shift answers the immediate tactical problem—"IoC extinction"—but it leaves open a strategic question the agencies implicitly pose to defenders and regulators alike: can detection, response and liability frameworks be retooled quickly enough to keep pace with adversaries who subcontract concealment and refresh their infrastructure across many hosts?
https://www.govinfosecurity.com/hacked-devices-are-gateways-for-chinese-nation-state-hackers-a-31490
