---
title: "China-Backed Hackers Exploit Compromised Devices in Global Cyber Threat"
short_title: "China-nexus hackers use botnets to attack global networks"
description: "Learn how China-linked cyber actors use covert networks of compromised routers and IoT devices to launch attacks. Discover mitigation strategies to protect your infrastructure."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [china-nexus, botnets, cybersecurity, threat-intelligence, iot-security]
score: 0.87
cve_ids: []
---
## TL;DR
China-nexus cyber actors are increasingly using large-scale networks of compromised routers, IoT devices, and SOHO devices to conduct cyber espionage and pre-position offensive capabilities. These covert networks, or botnets, disguise malicious activity, making attribution difficult. Organizations must adopt dynamic threat detection and zero-trust policies to mitigate risks.
Main Content
### Introduction
In a joint advisory, the UK National Cyber Security Centre (NCSC) and 14 international cybersecurity agencies have warned of a significant shift in the tactics of China-linked cyber actors. These threat groups are now leveraging large-scale networks of compromised devices, known as covert networks or botnets, to conduct cyber espionage, disrupt critical infrastructure, and evade detection. This article explores the structure of these networks, their impact, and actionable steps to defend against them.
### Key Points
- Shift in Tactics: China-nexus cyber actors have moved from individually procured infrastructure to large-scale networks of compromised devices, including SOHO routers, IoT devices, and firewalls.
- Global Threat: These covert networks are used by groups like Volt Typhoon and Flax Typhoon to target critical national infrastructure and conduct cyber espionage.
- Attribution Challenges: The dynamic nature of these networks, combined with their use by multiple threat actors, makes it difficult to attribute malicious activity using traditional methods like static IP blocklists.
- Commercial Involvement: Evidence suggests that Chinese information security companies are creating and maintaining these botnets, further complicating defensive efforts.
- Protective Measures: Organizations must adopt zero-trust policies, multifactor authentication (MFA), and dynamic threat feeds to combat this evolving threat.
Technical Details
#### What Are Covert Networks?
Covert networks are large-scale botnets composed of compromised devices, such as:
- SOHO routers (e.g., Cisco, NetGear)
- IoT devices (e.g., web cameras, video recorders)
- Firewalls and NAS devices
These networks are used to:
- Disguise the origin of malicious activity.
- Conduct reconnaissance, malware delivery, and data exfiltration.
- Enable deniable internet browsing for threat actors researching exploitation techniques or victims.
#### How Are They Constructed?
Most covert networks follow a basic topology:
1. On-Ramp/Entry Node: The initial point where threat actors connect to the network.
2. Traversal Nodes: Compromised devices that route traffic through the network.
3. Exit Node: The final device, typically in the same geographic region as the target, from which malicious traffic exits.
This structure allows threat actors to obfuscate their identity and evade detection.
#### Real-World Examples
- Raptor Train: A botnet controlled by the Chinese company Integrity Technology Group, which infected over 200,000 devices worldwide in 2024.
- KV Botnet: Used by Volt Typhoon, this network primarily consisted of vulnerable Cisco and NetGear routers that were no longer receiving security updates.
Impact Assessment
#### Why This Matters
The use of covert networks represents a paradigm shift in cyber threats:
- Scale: A single botnet can include hundreds of thousands of devices, making traditional defense mechanisms like static IP blocklists ineffective.
- Sophistication: These networks are constantly evolving, with new devices added as old ones are patched or removed.
- Critical Infrastructure at Risk: Groups like Volt Typhoon use these networks to pre-position offensive capabilities on critical national infrastructure, posing a significant risk to global security.
#### Challenges for Defenders
- Indicator of Compromise (IOC) Extinction: The dynamic nature of these networks means that IOCs quickly become outdated.
- Attribution Difficulties: Multiple threat actors can use the same botnet, making it challenging to attribute attacks to specific groups.
- Legitimate Use: Some covert networks are also used by legitimate customers, further complicating detection efforts.
Mitigation Steps
#### For All Organizations
1. Map and Understand Network Edge Devices: Identify all assets and connections to your network.
2. Baseline Normal Connections: Monitor and profile connections to corporate VPNs or similar services to detect anomalies.
3. Leverage Dynamic Threat Feeds: Use threat intelligence feeds that include covert network infrastructure.
4. Implement Multifactor Authentication (MFA): Secure remote connections with MFA to prevent unauthorized access.
5. Use the NCSC Cyber Action Toolkit: Smaller organizations can create a free action plan using the NCSC Cyber Action Toolkit.
#### For Larger or High-Risk Organizations
1. Apply IP Allow Lists: Restrict VPN access to approved IP addresses only.
2. Use Geographic Allow Lists: Profile incoming connections based on geographic location, operating system, and time zones.
3. Implement Zero Trust Policies: Assume all connections are untrusted and verify each request.
4. Enforce Machine Certificates: Use SSL certificates for secure connections.
5. Reduce Internet-Facing Presence: Minimize exposure by limiting public-facing IT assets.
6. Invest in Machine Learning: Use AI-driven tools to detect and block anomalous activity at the network edge.
#### For the Largest or Most At-Risk Organizations
1. Track Covert Networks as APTs: Monitor and map covert networks using threat reporting and NetFlow feeds.
2. Active Hunting: Look for connections from IP addresses associated with SOHO routers or IoT devices.
3. Dynamic Blocklists: Create and implement dynamic blocklists to block known malicious infrastructure.
4. Use the NCSC Cyber Assessment Framework: Follow guidance for organizations under high threat levels, including those in energy, healthcare, and government sectors.
## Conclusion
The rise of China-nexus covert networks marks a new era in cyber threats, where scale, sophistication, and deniability are prioritized. Organizations must adapt by adopting dynamic threat detection, zero-trust policies, and proactive monitoring to defend against these evolving attacks. Failure to act could leave critical infrastructure vulnerable to espionage, disruption, and long-term compromise.
For more information, refer to the NCSC advisory and the CISA alert.
## References
[^1]: NCSC. "Defending Against China-Nexus Covert Networks of Compromised Devices". Retrieved 2025-01-24.
[^2]: CISA. "Joint Advisory on China-Nexus Cyber Actors". Retrieved 2025-01-24.
[^3]: Mandiant. "China-Nexus Espionage and ORB Networks". Retrieved 2025-01-24.