China-Nexus Actors Are Using Botnet Covert Networks to Hide Attacks — Here's How to Defend Against Them

What happened

Australia's Cyber Security Centre (ACSC), the UK's NCSC, CISA, the FBI, NSA, and 11 other intelligence agencies from Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden have issued a joint advisory warning about a significant shift in how China-nexus cyber actors operate. Rather than using individually leased servers, these threat actors are now routing their attacks through large-scale networks of compromised consumer and business devices — a technique designed to obscure where attacks are actually coming from.

The advisory names two known threat groups exploiting this approach. Volt Typhoon has used covert networks to pre-position offensive capabilities inside critical national infrastructure. Flax Typhoon used a separate botnet of compromised devices to conduct cyber espionage. The advisory notes that a single covert network may be shared by multiple threat groups simultaneously, making attribution significantly harder for defenders.

There are no specific CVEs disclosed in this advisory. The focus is on a tactical shift rather than a single vulnerability — the threat stems from mass exploitation of already-unpatched or end-of-life devices across the internet.

Who is affected

Any organisation that is a potential target of Chinese state-sponsored cyber actors should treat this advisory as relevant. This includes:

• Critical infrastructure operators — energy, water, transport, healthcare, and communications sectors
• Government agencies at federal, state, and local levels
• Defence industry and supply chains
• Small and medium businesses using consumer-grade networking equipment (SOHO routers, NAS devices, IP cameras, smart devices) connected to corporate networks

The advisory specifically highlights that compromised Small Office/Home Office (SOHO) routers and IoT and smart devices make up the majority of these covert networks — meaning vulnerable nodes may sit inside your own network perimeter without your knowledge.

How it works

Covert networks function like a multi-hop anonymisation layer purpose-built for state-sponsored attacks. An attacker connects through an entry node, routes traffic across several compromised devices (traversal nodes), and exits through a node geographically close to the target — making the traffic appear to originate from a legitimate IP address in the same country or region.

The key challenge for defenders is what the advisory calls "IOC extinction": because these networks are constantly refreshed and nodes are cycled out rapidly, traditional indicators of compromise (malicious IPs, domains, file hashes) become stale almost immediately. Threat groups sharing the same network infrastructure also means that blocking one actor's IOCs provides little protection against another using the same nodes. Static, signature-based defences alone are insufficient against this threat model.

What you should do

1. Map and baseline your edge device traffic — catalogue all VPN gateways, firewalls, routers, and remote access points. Establish what normal traffic looks like so anomalies are detectable.
2. Adopt dynamic threat feed filtering — subscribe to threat intelligence feeds that include covert network indicators, and automate their ingestion rather than relying on manual IOC updates.
3. Enforce multi-factor authentication on all remote access — this limits what an attacker can do even if they successfully route through a compromised node to your perimeter.
4. Apply zero trust controls where possible — implement IP allow lists, machine certificate verification, and least-privilege access for remote connections.
5. Audit and replace end-of-life SOHO and IoT devices — devices that no longer receive security updates are prime candidates for botnet recruitment. Prioritise replacement or network isolation.
6. Keep all devices patched and updated — apply security updates promptly across routers, firewalls, and any internet-facing infrastructure.
7. For higher-risk organisations: consider active threat hunting — use NetFlow data to map upstream traffic patterns and identify potential covert network nodes communicating with your environment.

The covert network technique described in this advisory makes a clear case for knowing what your organisation looks like from the outside. Our Internet Exposure Assessment identifies internet-facing devices and services that could serve as entry points or be recruited into covert networks. For help implementing the network segmentation, edge device controls, and access hardening recommended above, our cybersecurity consulting team works with organisations across critical infrastructure, government supply chains, and regulated industries.

References

• ACSC Advisory — Defending against China-nexus covert networks of compromised devices
• NCSC-UK Full Advisory
• NCSC-UK Executive Summary (PDF)
• CISA Advisory AA26-113A