International cybersecurity agencies have issued an urgent Cybersecurity Advisory about a major evolution in state-linked cyber operations tied to the People’s Republic of China. Authorities say threat actors are increasingly relying on vast networks of compromised everyday devices—often called botnets—to obscure their activities, making detection and defence significantly more difficult.
A Strategic Shift in Cyber Warfare
Cybersecurity officials, including the UK’s National Cyber Security Centre (NCSC), alongside partners such as the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), say the change marks a turning point in how cyber espionage and attacks are conducted.
Historically, state-backed hackers relied on dedicated infrastructure—servers and domains directly controlled by the attackers. However, investigators now report a widespread pivot toward hijacking consumer and enterprise devices at scale. These include home routers, internet-connected cameras, and storage systems.
The trend is both cost-effective and difficult to attribute, giving attackers plausible deniability while expanding operational reach.
Covert Networks: A Growing and Elusive Threat
These so-called “covert networks” function by routing malicious traffic through thousands—or even hundreds of thousands—of compromised devices worldwide. Each device acts as a node, masking the origin of cyber operations.
Officials say these networks are now used across the entire attack lifecycle—from reconnaissance to data theft. For example:
- The group Volt Typhoon has used such infrastructure to infiltrate critical infrastructure systems.
- Another group, Flax Typhoon, leveraged similar networks for espionage campaigns.
One notable case involved a botnet dubbed Raptor Train, which reportedly infected more than 200,000 devices globally. Investigators linked its operation to a Chinese technology firm, raising concerns about state-private sector collaboration in cyber activities.
While botnets are not new, their scale, persistence, and strategic use represent a significant escalation.
Anatomy of a Modern Botnet
Rather than relying on a fixed structure, these networks are fluid and constantly evolving. However, analysts outline a typical pattern:
- Entry node (on-ramp): The attacker connects to the network.
- Traversal nodes: Traffic is passed through multiple compromised devices.
- Exit node: The final device sends traffic to the target, often geographically نزدیک to the victim.
This layered routing makes it extremely difficult to trace activity back to its origin. Compounding the problem, many of the compromised devices are outdated or “end-of-life,” meaning they no longer receive security updates.
Why Traditional Defences Are Failing
Conventional methods—such as blocking known malicious IP addresses—are becoming ineffective.
A key issue is what analysts call “IOC extinction” (Indicator of Compromise extinction). Because attackers can rapidly rotate through thousands of infected devices, any single IP address becomes irrelevant almost immediately.
According to industry research, including reports from firms like Mandiant, defenders are now facing a moving target where infrastructure is constantly changing and shared across multiple threat actors.
Defensive Measures: A Shift Toward Adaptive Security
For All Organisations
Authorities recommend strengthening baseline security practices:
- Maintain a detailed inventory of network-connected devices
- Monitor and understand normal traffic patterns
- Use multi-factor authentication (MFA)
- Leverage real-time threat intelligence feeds
For Higher-Risk Organisations
More advanced protections are advised:
- Restrict access using allow lists instead of block lists
- Apply geographic and behavioural filtering
- Adopt zero trust architectures, where no connection is automatically trusted
- Reduce exposure of internet-facing systems
For Critical Infrastructure and Advanced Defenders
Organisations facing nation-state threats are urged to take further steps:
- Actively hunt for suspicious traffic from consumer-grade devices
- Track botnets as persistent threats in their own right
- Use machine learning to detect anomalies in network behaviour
- Analyse traffic flows (e.g., NetFlow data) to identify hidden network structures
NCSC Resources & Best Practices
In addition to the protective advice outlined, below you will find a number of NCSC cyber security best practices which will also be useful in defending against this threat .
Broader Implications: A Persistent Global Risk
The widespread exploitation of everyday devices poses risks not just to organisations, but to individuals worldwide.
Paul Chichester, Director of Operations at the NCSC, described botnet operations as a “significant threat,” noting their ability to exploit common technologies for large-scale attacks.
The challenge is compounded by the dual-use nature of these networks—some are partially used for legitimate internet traffic, further complicating detection and attribution.
Conclusion
The advisory underscores a critical reality: cyber threats are no longer confined to specialised infrastructure but are embedded within the global fabric of everyday technology.
As attackers continue to innovate, defence strategies must evolve accordingly—shifting from static protections to dynamic, intelligence-driven security models.
Governments and organisations alike now face a shared responsibility: securing not just their own systems, but the broader ecosystem of connected devices that underpin the modern internet.
