Evolving Chinese Cyber Threats: Covert Networks and Shifting Tactics

Key Takeaways

• Chinese state‑aligned threat actors have pivoted to large‑scale “covert networks” built from compromised small‑office/home‑office routers, IoT devices, and other edge hardware to mask their activity.
• Health care organizations are now explicitly highlighted as high‑value targets because they rely on interconnected medical devices and legacy equipment that often lack security updates.
• The advisory links recent campaigns such as Volt Typhoon and Flax Typhoon to these covert networks, noting their use for espionage and pre‑positioning for disruptive attacks on health‑care‑related critical infrastructure.
• Mitigation recommendations include inventory audits for end‑of‑life devices, tightening remote‑work policies, enhancing network monitoring for anomalous traffic, and shifting from signature‑based to behavior‑based defenses.
• Continuous guidance and threat intelligence are available through the American Hospital Association’s cybersecurity portal and direct contact with AHA’s national security advisor.

Overview of the Joint Advisory
On April 23, U.S. and international cybersecurity agencies—including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and several global partners—issued a joint advisory warning that China‑nexus cyber actors have significantly altered their tactics. The advisory stresses that these actors now employ expansive “covert networks” of compromised devices to conceal malicious operations, thereby increasing the risk to sectors that depend heavily on connected technology, especially hospitals and health systems.

The Rise of Covert Networks
The advisory defines covert networks as vast collections of compromised small‑office or home‑office (SOHO) routers, Internet‑of‑Things (IoT) gadgets, and other edge hardware that attackers hijack to route and hide their traffic. By distributing command‑and‑control communications across thousands of innocuous‑looking devices, threat actors can obscure their true origin, bypass traditional signature‑based defenses, and operate at a scale that overwhelms conventional monitoring tools. This technique allows attackers to maintain persistence while minimizing the likelihood of detection.

Why Health Care Is a Prime Target
Health systems are deemed critical infrastructure, making them attractive to state‑aligned adversaries seeking intelligence or the ability to disrupt essential services. Hospitals typically run a heterogeneous mix of medical devices, administrative workstations, and supporting IT equipment, many of which are interconnected through hospital‑wide networks. The advisory notes that several recent China‑affiliated malware campaigns—most notably Volt Typhoon and Flax Typhoon—have leveraged covert networks to conduct espionage and to pre‑position for potential disruptive attacks against health‑care‑dependent infrastructure.

Specific Threats: Volt Typhoon and Flax Typhoon
Volt Typhoon and Flax Typhoon are two distinct but related intrusion sets attributed to Chinese state‑aligned groups. Both have been observed using covert networks to move laterally within victim environments, exfiltrate sensitive data, and implant backdoors that could later be used for ransomware, data destruction, or service disruption. In the health sector, the stolen information may include patient records, research data, and operational details that could be exploited for geopolitical advantage or sold on underground markets.

Vulnerability of Legacy and End‑of‑Life Devices
A recurring theme in the advisory is the prevalence of end‑of‑life (EOL) technologies within health‑care settings—devices that no longer receive vendor security patches or firmware updates. Examples include older imaging equipment, legacy patient‑monitoring systems, and outdated networking gear. Because these devices lack ongoing support, they become easy prey for compromise and can be conscripted into the attacker’s covert network without the organization’s knowledge.

Recommended Defensive Actions for Health Systems
To counter the evolving threat, the advisory outlines a series of concrete steps:

1. Asset Inventory Review – Conduct a thorough audit of all connected devices, flagging any EOL or unpatched equipment for replacement, isolation, or mitigation.
2. Patch Management Prioritization – Apply available security updates promptly; where patching is impossible, implement compensating controls such as network segmentation or intrusion‑prevention signatures.
3. Remote‑Work Policy Hardening – Review and tighten work‑from‑home technologies (VPNs, remote desktop tools) to ensure they do not inadvertently provide a gateway into the internal network.
4. Enhanced Network Monitoring – Deploy behavioral analytics and traffic‑baseline solutions capable of detecting anomalous patterns indicative of covert‑network usage, such as unusual outbound connections to low‑reputation domains.
5. Shift to Behavior‑Based Defenses – Move beyond reliance on known‑threat indicators (signatures) toward anomaly detection, threat‑hunting, and zero‑trust architectures that assume breach and verify every access request.
6. Incident‑Response Preparedness – Update and test response plans to include scenarios involving covert‑network abuse, ensuring rapid containment and eradication capabilities.

The Role of Behavior‑Based Defenses
Traditional antivirus and signature‑based tools excel at catching known malware but falter against attackers who constantly rewrite their tools or use legitimate‑looking traffic through compromised devices. Behavior‑based defenses—such as endpoint detection and response (EDR), network traffic analysis (NTA), and user‑entity behavior analytics (UEBA)—focus on identifying deviations from normal activity, like a medical imaging system suddenly initiating encrypted outbound traffic to an unfamiliar IP address. By catching these subtle signs, health organizations can interrupt the attacker’s command‑and‑control chain before data exfiltration or destructive payloads are delivered.

Leveraging External Resources and Expert Guidance
The advisory concludes by pointing hospitals toward available support channels. The American Hospital Association (AHA) maintains a dedicated cybersecurity webpage (aha.org/cybersecurity) that aggregates threat intelligence, best‑practice guides, and toolkits tailored to the health‑care environment. Additionally, John Riggi, AHA’s national security advisor for cybersecurity and risk, offers direct consultation via email ([email protected]) for organizations seeking personalized advice on implementing the recommended mitigations.

Conclusion: Adapting to an Evolving Threat Landscape
The joint advisory underscores a clear shift: Chinese‑aligned cyber actors are no longer relying solely on bespoke malware; they are weaponizing the sheer volume of insecure, ubiquitous edge devices to build stealthy, scalable infrastructures for espionage and potential disruption. For hospitals and health systems—already managing complex, mission‑critical networks—this development heightens the urgency to modernize asset management, tighten remote‑access controls, and adopt proactive, behavior‑centric security postures. By heeding the guidance outlined above, health‑care organizations can better safeguard patient safety, protect sensitive data, and preserve the resilience of the critical infrastructure on which public health depends.