Global Agencies Warn of China's Covert Cyber Networks Using Compromised Routers and IoT Devices

Twelve allied government cybersecurity agencies issued a joint advisory on May 23, 2024, warning of a significant shift in Chinese state-sponsored cyber operations. The warning highlights a move from individually procured infrastructure to large-scale covert networks composed of compromised everyday devices.

According to the advisory, “Over the past few years there has been a major shift in the tactics, techniques and procedures (TTPs) used by China-nexus cyber actors, moving away from the use of individually procured infrastructure, and towards the use of externally provisioned, large-scale networks of compromised devices.”

Agencies Behind the Advisory

The joint warning was issued by the following agencies:

• U.S. Cybersecurity and Infrastructure Security Agency (CISA)
• U.S. National Security Agency (NSA)
• U.S. Federal Bureau of Investigation (FBI)
• U.K. National Cyber Security Centre (NCSC)
• Australia’s cybersecurity agency
• Canada’s Communications Security Establishment (CSE)
• Germany’s Federal Office for Information Security (BSI)
• Netherlands’ National Cyber Security Centre (NCSC-NL)
• New Zealand’s Government Communications Security Bureau (GCSB)
• Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC)
• Spain’s National Cryptologic Center (CCN)
• Sweden’s National Cyber Security Centre (NCSC-SE)

How Covert Networks Operate

The advisory details how these covert networks function:

• They are primarily composed of compromised Small Office Home Office (SOHO) routers, as well as Internet of Things (IoT) and smart devices.
• These networks are constantly updated and can be used by multiple actors simultaneously.
• They provide a low-cost, low-risk, and deniable method for malicious activities, disguising the origin and attribution of attacks.

Evidence suggests that Chinese information security companies are involved in creating and supporting these networks. Hackers leverage them for activities such as reconnaissance, malware delivery, and data theft.

Notable Examples and Threats

The advisory highlights specific threats linked to these covert networks:

• Volt Typhoon: A group that has pre-positioned itself within U.S. critical infrastructure.
• Flax Typhoon: A group engaged in cyber espionage activities.
• Raptor Train: A botnet that infected 200,000 devices worldwide.

The networks are described as large, constantly evolving, and rapidly developing, with new networks emerging frequently.

Expert Commentary on China’s Cyber Capabilities

During a speech this week, NCSC CEO Richard Horne emphasized the growing sophistication of China’s cyber operations, stating:

“We know that China’s intelligence and military agencies now display an eye-watering level of sophistication in their cyber operations.”

Defensive Measures Against Covert Networks

The advisory acknowledges that defending against these covert networks is not straightforward. However, it recommends several cybersecurity best practices:

• Implementing common good cybersecurity measures.
• Engaging in active hunting, tracking, and mapping of covert networks.
• Using threat reporting to create and update blocklists.
• Focusing on the largest and most at-risk organizations to take proactive steps.

CISA Acting Director Nick Andersen reinforced the urgency of the threat, stating:

“Working closely with U.S. and international partners, CISA continues to identify and warn organizations of Chinese state-sponsored cyber actors threatening critical infrastructure. This advisory informs organizations of how these actors are strategically using numerous, evolving covert networks at scale for malicious cyber activity.”