NCSC warns of China-linked covert networks built from compromised devices
The UK National Cyber Security Centre has issued new guidance on a growing cyber threat involving large covert networks assembled from compromised routers and other internet-facing devices. According...
The UK National Cyber Security Centre has issued new guidance on a growing cyber threat involving large covert networks assembled from compromised routers and other internet-facing devices. According to the advisory, China-nexus threat actors have increasingly shifted away from using infrastructure they control directly and are instead relying on distributed networks of hijacked devices to support espionage and offensive operations.
How the networks are used
These botnet-style environments can be used at multiple stages of an intrusion. Investigators say they may help attackers collect reconnaissance data, deliver malware, maintain command-and-control links, and move stolen information out of a victim environment. Because the infrastructure is built from devices spread across many locations, it can be difficult to trace back to a single source.
The NCSC says this approach creates a flexible and inexpensive platform that can be altered quickly when defenders identify suspicious activity. That makes traditional block lists based on static IP addresses less effective, since compromised nodes may disappear or be replaced soon after they are found.
Why defenders are concerned
For affected organisations, the risk goes beyond stealth. The guidance warns that these covert networks could be used against UK targets to steal sensitive information and, in some cases, interfere with essential services. Another challenge is that different threat groups may share the same compromised infrastructure, which can make detection and attribution more difficult.
Security teams may also encounter what the advisory describes as a short lifespan for indicators of compromise. In practice, that means evidence of malicious infrastructure can vanish quickly, leaving defenders with little time to respond if they rely only on static controls.
Recommended actions
The NCSC, working with partner agencies and the Cyber League, has published advice aimed at organisations of different sizes. The recommendations focus on layered, adaptive controls rather than fixed IP-based blocking alone.
- Map and baseline traffic to edge devices, especially VPN and remote-access services.
- Use dynamic threat feeds that include known malicious infrastructure linked to covert networks.
- Enable multi-factor authentication for remote access.
- Apply zero trust measures where feasible, including IP allow lists and machine certificate checks.
- For larger or higher-risk environments, hunt for suspicious SOHO and IoT traffic and consider anomaly-detection tools.
The agency says organisations that combine visibility, authentication, and adaptive filtering will be better positioned to reduce exposure to this evolving threat.
