China-linked hackers are using networks of vulnerable internet-connected devices, including home routers, printers and smart devices, as cover to mount espionage and hacking operations.
The technique is now used by the majority of China-linked hackers as a way to obscure hacking and espionage attacks launched against organisations in the West.
The UK’s National Cyber Security Centre (NCSC) and national agencies in nine other countries have warned today that Chinese-linked groups are now leveraging networks of infected devices “at scale” to target critical sectors globally and steal sensitive data.
According to an advisory issued by the Five Eyes intelligence-sharing alliance – comprising the UK, the US, Canada, Australia and New Zealand – and 10 other countries, Chinese groups are exploiting security vulnerabilities in unpatched internet devices to create networks to use as a staging post to launch further attacks.
“We know that China’s intelligence and military agencies now display an eye-watering level of sophistication in their cyber operations,” said NCSC chief Richard Horne in a speech at its CyberUK conference in Glasgow.
Covert networks hide ‘indicators of compromise’
The agencies warn that the Chinese tactics are making it difficult for organisations to detect and attribute malicious attacks on their computer networks using traditional “indicators of compromise”.
Chinese groups, for example, could use a UK-based infected device as a staging post to hack into a UK-based company, meaning that blocking non-UK IP addresses no longer provides a defence for overseas attacks.
They advise companies to adopt “adaptive, intelligence-driven measures” to better mitigate the risks, including monitoring traffic from internet-connected devices, virtual private networks (VPNs) and remote access devices to identify suspicious traffic.
Chinese-linked groups are able to evade detection by exploiting low-cost networks of infected devices that can rapidly be reconfigured so that traditional static IP block lists are no longer effective.
The networks are used for each phase of a cyber attack, from reconnaissance and malware delivery, to command and control and data exfiltration against targets of espionage and offensive cyber operations, according to the advisory.
Covert networks behind major hacking operations
Covert networks of compromised devices have been used by the Chinese state-sponsored group Volt Typhoon to pre-position for future attacks on critical national infrastructure (CNI).
The group has targeted communications, energy, transport and water services in the US, and has been able to maintain covert access to critical IT systems for five years or more.
It used a network of vulnerable Cisco and NetGear routers, which were no longer supported by the manufacturers and were no longer receiving updates of security patches.
Another Chinese group, Flax Typhoon, has used a covert network of 260,000 compromised devices, including routers, firewalls, webcams and CCTV cameras, to conduct cyber espionage against targets in multiple countries.
Hacking as a service
Chinese hacking groups have a choice of covert networks, each with potentially hundreds of thousands of endpoints, which frequently change, making it more difficult for companies targeted to block attacks, according to the advisory.
Chinese information security companies have maintained networks of infected devices, available as a service for Chinese-linked hacking groups.
Chinese company Integrity Technology Group controlled a network known as Raptor Train, which infected more than 200,000 devices worldwide in 2024.
Companies advised to take countermeasures
The NCSC advises companies to map internet-connected devices in their organisation and corporate VPNs, so they can understand which traffic is legitimate.
They should also introduce multifactor authentication (MFA) when employees use remote connections to dial into business networks.
Larger organisations can profile incoming connections based on operating systems, time zones, and the organisation’s systems configurations to identify legitimate traffic.
The Five Eyes and the NCSC advise the most at-risk organisations to actively track Chinese advanced persistent threats (APTs), using threat reports supplied by the NCSC to create dynamic block lists and rules to detect incoming threats.
“In recent years, we have seen a deliberate shift in cyber groups based in China utilising these networks to hide their malicious activity in an attempt to avoid accountability,” said Paul Chichester, NCSC director of operations. “We call on organisations to act now to better defend their critical assets.”
