NCSC and international partners warn of covert networks built from compromised devices

The UK National Cyber Security Centre (NCSC) and a group of international partners have issued new guidance on the use of large-scale networks of compromised devices by China-linked threat actors. The...

The UK National Cyber Security Centre (NCSC) and a group of international partners have issued new guidance on the use of large-scale networks of compromised devices by China-linked threat actors. The advisory says these covert networks are increasingly being used to hide malicious activity and make attribution more difficult.

According to the warning, many of the devices involved are everyday internet-connected products such as small office and home office routers, internet of things devices, cameras, video recorders, firewalls and network-attached storage systems. Once compromised, these devices can be used to support multiple stages of an intrusion, including scanning for targets, delivering malware, relaying commands, and moving stolen data out of a victim environment.

The agencies say this is not a new technique, but it is now being used in a more systematic and large-scale way. They note that some of these networks may be shared across multiple threat actors and updated continuously. In some cases, they may also overlap with legitimate customer traffic, which makes malicious use harder to spot.

The advisory points to recent activity linked to groups such as Volt Typhoon and Flax Typhoon, which have been associated with espionage and pre-positioning on critical infrastructure. It also cites examples of botnets containing hundreds of thousands of infected devices worldwide.

What defenders are being asked to do

The guidance focuses on reducing exposure from internet-facing equipment and improving visibility across networks that may be targeted through these covert routes.

  • Keep routers, firewalls and other edge devices fully patched and supported.
  • Replace obsolete devices that no longer receive security updates.
  • Change default credentials and use strong authentication where possible.
  • Disable unnecessary remote management and internet exposure.
  • Segment networks so a compromise of one device does not expose everything else.
  • Monitor logs and outbound traffic for unusual or unexpected connections.

NCSC director of operations Paul Chichester said botnet-style operations remain a serious threat because they exploit weaknesses in ordinary connected devices and can be used to support large-scale cyber activity. The advisory is intended to help network defenders identify the risk early and reduce opportunities for covert access.