Key Takeaways
- The UK’s NCSC, together with cyber agencies from nine other nations, warns that China‑linked threat actors are increasingly using compromised everyday devices—especially Wi‑Fi routers—to hide the origin of cyber‑attacks.
- These “covert networks” or botnets are built from unpatched or ageing hardware and serve as launchpads for surveillance, data theft, and intrusion into critical infrastructure.
- NCSC chief Richard Horne described Chinese cyber‑operations as possessing an “eye‑watering level of sophistication,” characterising them as a peer competitor rather than merely a capable threat.
- Organisations are urged to map their IT environments, enforce multifactor authentication for remote access, and limit connections to external consumer‑grade devices to reduce exposure.
- Highlighted examples include the Volt Typhoon group’s infiltration of U.S. rail, aviation, and water systems, and a Chinese firm that built a covert network from 200 000 compromised devices worldwide.
NCSC Issues Global Warning on China‑Linked Device‑Based Espionage
The United Kingdom’s National Cyber Security Centre (NCSC) has joined forces with cyber‑security authorities from the United States, Australia, Canada, Germany and five other countries to issue a joint advisory highlighting a growing tactic employed by Beijing‑backed hackers. The alert stresses that malicious actors are routinely compromising inexpensive, internet‑connected equipment—most notably home and small‑office Wi‑Fi routers—to create hidden infrastructures that can be used for cyber‑espionage, data exfiltration and attacks on larger organisations. The notice makes clear that the threat is not theoretical; it reflects a documented shift in Chinese cyber‑operations that security officials now view as a strategic, nation‑level challenge.
What Are “Covert Networks” and How Do They Operate?
In the advisory, the NCSC defines the malicious infrastructures as “covert networks” or botnets—collections of hacked devices that attackers control remotely without the owners’ knowledge. These networks typically target devices that are outdated, lack recent firmware patches, or use default credentials, turning them into unwitting relays for malicious traffic. By routing command‑and‑control communications through numerous compromised routers, printers or webcams, the attackers obscure the true source of their activity, making attribution far more difficult for defenders and law‑enforcement agencies. The NCSC notes that the majority of China‑linked threat actors now rely on this technique to stage their operations.
NCSC Chief Describes Chinese Cyber Capability as a Peer Competitor
Speaking at the NCSC’s annual conference in Glasgow, chief executive Richard Horne underscored the gravity of the situation. He said that China’s intelligence and military agencies possess an “eye‑watering level of sophistication in their cyber‑operations,” elevating them beyond the realm of ordinary cyber‑criminals to a peer competitor in cyberspace. Horne warned that the United Kingdom and its allies face not just a capable adversary but a well‑resourced, persistent threat capable of sustaining large‑scale, long‑term campaigns against governmental, commercial and critical‑infrastructure targets.
Advisory Highlights a Major Shift in Chinese Tactics
The joint notice points out a “major shift” in the modus operandi of Chinese hacking groups: instead of relying solely on traditional servers or cloud infrastructure, they are now exploiting the vast pool of consumer‑grade internet devices to mask their movements. The most frequently hijacked equipment includes Wi‑Fi routers, but network‑connected printers and web cameras are also identified as vulnerable entry points. By compromising these devices, attackers can pivot from a residential network to corporate or governmental systems without raising immediate suspicion, effectively using the victim’s own broadband connection as a stealthy conduit for espionage.
Routers Compared to VPNs: A Hidden Launchpad for Attacks
Security officials liken the abused routers to virtual private networks (VPNs) in the sense that both technologies can conceal the geographic origin of traffic. However, while VPNs are intentional privacy tools, compromised routers are unwitting proxies that route malicious traffic through ordinary households. In practice, a hacker could instruct a botnet of infected routers to send packets that appear to emanate from a legitimate home user in, for example, Manchester, while the actual command centre resides somewhere in China. This obfuscation complicates defensive measures such as IP‑based blocking and geographic threat intelligence, forcing organisations to adopt more behaviour‑centric detection strategies.
Practical Steps for Businesses to Mitigate the Risk
Although the advisory is not aimed at the general public, it offers clear guidance for companies and organisations seeking to harden their defences. Key recommendations include:
- Mapping IT assets – maintaining an up‑to‑date inventory of all network‑connected devices, including those that link to employee broadband connections.
- Enforcing multifactor authentication (MFA) – requiring a second verification factor for any remote access to corporate systems, thereby reducing the value of stolen passwords.
- Limiting external connections – applying strict firewall rules that restrict inbound and outbound traffic to known, necessary services and blocking unnecessary protocols that could be abused by botnet controllers.
- Prompt patching and firmware updates – ensuring that routers, IoT devices and smart equipment receive regular security updates and that default credentials are changed upon deployment.
- Network segmentation – separating guest Wi‑Fi or personal‑device networks from critical internal systems to limit lateral movement if a device becomes compromised.
Implementing these controls can significantly reduce the likelihood that a corporate network will be used as a launchpad for China‑linked espionage or that attackers will hijack corporate‑owned devices to join a covert botnet.
Real‑World Illustrations: Volt Typhoon and Massive‑Scale Covert Networks
The advisory cites the China‑linked group known as Volt Typhoon as a prime example of actors exploiting covert networks. Western authorities have traced Volt Typhoon’s activity to intrusions into critical U.S. infrastructure, including rail signalling systems, aviation control networks and water treatment facilities. The group’s ability to remain undetected for extended periods is attributed to its reliance on a distributed network of compromised routers and IoT devices that constantly rotate their command‑and‑control nodes.
In another illustration referenced by the NCSC, a private Chinese company allegedly built a covert network by infecting approximately 200 000 devices spread across the globe. These devices—mostly low‑cost home routers and smart cameras—were harnessed to relay malicious traffic, enabling the company to offer “residential proxy” services to other threat actors. This demonstrates how the commercialisation of compromised hardware can amplify the reach and efficiency of state‑backed cyber‑operations.
Google’s Disruption of a Residential Proxy Network Reinforces the Threat Landscape
Earlier this year, Google announced that it had taken down a large‑scale “residential proxy” network employed by both cyber‑criminal syndicates and state‑sponsored groups. The network leveraged hacked household computers, routers and smart devices to mask the origin of nuisance attacks, credential‑stuffing campaigns and more sophisticated intrusions. Google’s action underscores the pervasive nature of the problem: even major technology firms recognise that the exploitation of everyday equipment has become a staple in the toolkit of modern adversaries. The takedown serves as a reminder that vigilance, timely patching, and proactive threat‑intelligence sharing are essential to counteract a threat that turns the very connectivity enabling modern life into a conduit for espionage.