CHINA-BACKED actors are increasingly using covert networks of compromised routers, IoT and smart devices to carry out attacks with a “low-cost, low-risk, deniable way,” according to this week’s advisory from coordinating cybersecurity bodies.
Evidence cited by the UK’s National Cyber Security Centre (NCSC-UK) suggests Chinese information security firms are systematically creating and maintaining botnets that largely comprise SOHO routers, with threat groups such as Flax Typhoon and Volt Typhoon using these networks for reconnaissance, malware delivery and data exfiltration.
The advisory notes that these botnets are dynamic, with new covert networks added and existing ones updated in response to defensive or legal actions, and that multiple China-nexus groups may use the same botnet at the same time, complicating attribution. Analysts describe this as the “industrialization of botnets,” enabled by a division of labour where large pools of compromised devices are curated and provisioned to operational units as needs arise.
The guidance urges organisations to map their edge devices, baseline connections, and consider zero-trust approaches, with a focus on threat hunting and tracking covert networks reported by industry or government.