International cyber agencies issue guidance on China-linked covert networks
The UK’s National Cyber Security Centre has joined 15 international partners to publish new guidance aimed at helping organisations spot and defend against covert networks linked to China-based threat...
The UK’s National Cyber Security Centre has joined 15 international partners to publish new guidance aimed at helping organisations spot and defend against covert networks linked to China-based threat activity.
The advisory focuses on how attackers use compromised internet-connected devices, such as home routers and smart equipment, to hide the source of malicious operations. According to the agencies, these covert networks are being used at scale to target critical sectors, steal sensitive data and keep access to victim environments over time.
The guidance was released alongside contributions from industry participants in the NCSC’s Cyber League programme and is intended to give defenders practical steps for reducing risk. It also highlights a growing challenge for security teams known as IOC extinction, where indicators of compromise disappear quickly after they are identified. That means organisations may need more adaptive, intelligence-led monitoring rather than relying only on static indicators.
What the advisory recommends
- Strengthen monitoring and detection to identify suspicious activity linked to compromised third-party devices.
- Use layered defensive controls that can still work when indicators are short-lived or constantly changing.
- Review exposure to edge devices and other internet-facing systems that can be abused as part of a covert network.
- Adopt established security baselines and guidance suited to the size and maturity of the organisation.
NCSC Director of Operations Paul Chichester said the agency and its partners wanted to make the tactics more visible and encourage organisations to better protect critical assets. The advisory also notes that some of these networks are externally maintained by Chinese information security companies.
The NCSC has previously attributed covert network activity to China-linked operations and, in earlier actions with international partners, highlighted the role of Integrity Technology Group in relation to the Flax Typhoon botnet. The UK government later sanctioned that company, along with another China-based information security firm, over what it described as reckless and indiscriminate cyber activity.
Smaller organisations are being pointed to the free Cyber Action Toolkit, while larger enterprises are encouraged to pursue Cyber Essentials certification and use the Cyber Assessment Framework.
The full advisory and an executive summary are available on the NCSC website.
