A dozen allied agencies say China is building covert hacker networks out of everyday routers
A dozen allied agencies say China is building covert hacker networks out of everyday routers
https://cyberscoop.com/china-nexus-covert-networks-advisory/
Publish Date: 2026-04-23 12:14:00
Source Domain: cyberscoop.com
U.S. and international government agencies warned Thursday about a “widespread shift” in Chinese hacker methods toward the use of large-scale covert networks that compromise common devices to carry out a variety of attacks.
The advisory details how those networks work, and defensive steps organizations should take.
“Over the past few years there has been a major shift in the tactics, techniques and procedures (TTPs) used by China-nexus cyber actors, moving away from the use of individually procured infrastructure, and towards the use of externally provisioned, large-scale networks of compromised devices,” the warning reads.
The U.K. National Cyber Security Centre, Cybersecurity and Infrastructure Security Agency, National Security Agency, FBI and agencies from Australia, Canada, Germany, Netherlands, New Zealand, Japan, Spain and Sweden joined forces on the advisory.
It says that “multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors. These networks are mainly made up of compromised Small Office Home Office (SOHO) routers, as well as Internet of Things (IoT) and smart devices.”
It continues: “Covert networks are used to connect across the internet in a low-cost, low-risk, deniable way, disguising the origin and attribution of malicious activity.”
Chinese information security companies create and support the networks, evidence suggests, according to the agencies. Hackers use the networks for reconnaissance, malware delivery and stealing information, they said.
Examples of the use of covert networks include activities from groups known as Volt Typhoon to pre-position on U.S. critical infrastructure, and Flax Typhoon to conduct cyber espionage.
An example of a covert network is the botnet Raptor Train, which infected 200,000 devices worldwide. The networks are large, constantly evolving and with new ones being developed…
