A joint advisory from ten countries warns that China-nexus threat actors are strategically compromising routers and IoT devices globally to create covert proxy networks (botnets) for conducting further intrusions, data theft, and disruption. The article does not specify a singular vulnerability, CVSS score, or affected software versions, but highlights the widespread use of end-of-life and SOHO network devices by groups like Volt Typhoon and Flax Typhoon. Recommended defensive actions include mapping and baselining edge device traffic, particularly VPN and remote access connections, and implementing dynamic threat feed filtering.
Security Chinese attackers are pwning your infrastructure to use in attacks, 10 countries warn All the Typhoons, everywhere, all at once Jessica Lyons Thu 23 Apr 2026 // 19:25 UTC A majority of China-linked threat actors are using compromised routers and IoT devices worldwide, turning this gear into proxy networks to carry out further intrusions, steal sensitive data, and disrupt victim organizations’ operations, according to a joint 10-country advisory. "Anyone who is a target of China-nexus cyber actors may be impacted by the use of covert networks," the security advisory warned . It was jointly released by the UK National Cyber Security Centre (NCSC) and 15 other government agencies from the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden. "The use of covert networks of compromised devices - also known as botnets - to facilitate malicious cyber activity is not new, but China-nexus cyber actors are now using them strategically, and at scale," according to the alert. Some of these covert networks are created and maintained by Chinese information security companies, the advisory says. For example, China's Integrity Technology Group controlled and managed the so-called Raptor Train network, which in 2024 infected more than 200,000 devices worldwide, including small office home office (SOHO) routers, internet-connected web cameras and video recorders, plus firewalls and network-attached storage (NAS) devices. The FBI previously assessed Integrity Technology Group to be responsible for computer intrusion activity attributed to Flax Typhoon. All the other Typhoons , we're told, also use these covert networks for their infrastructure - sometimes multiple China-linked groups use a single covert network. Volt Typhoon , the PRC-backed crew that the feds say burrowed deep into critical US networks to preposition for future destructive attacks , built its KV Botnet using mostly end-of-life Cisco and Netgear routers. Because the number of these covert networks is so large, with new botnets regularly developed and deployed and existing ones shutting down, sometimes because of law enforcement disruption efforts, "a description of all known covert networks in detail, including how they are constructed and how they communicate, would immediately be out of date - and for most network defenders would not be practically useful," the agencies say. This is the FBI, open up. China's Volt Typhoon is on your network Operation Lightning takes down SocksEscort proxy network blamed for tens of millions in fraud FBI boss says China 'burned down' 260,000-device botnet when confronted by Feds Country that put backdoors into Cisco routers to spy on world bans foreign routers However, there are steps that defenders can take to combat this threat. "All organizations should map and baseline their edge device traffic, especially VPN and remote access connections, and adopt dynamic threat feed filtering that includes known covert network indicators," the NCSC advises. Additionally, implement multi-factor authentication for remote access along with zero-trust security controls, IP allow lists, and machine certificate verification, if possible. The governments also suggest large and high-risk organizations consider proactively hunting suspicious SOHO and IoT traffic, using geographic profiling, and machine learning based anomaly detection. It’s also worth noting that financially motivated cyber crews also co-opt routers and other connected devices to disguise their criminal activities. Just last month, the FBI spoke exclusively to The Register about its work with cops from eight other countries to disrupt SocksEscort , a residential proxy service used to compromise hundreds of thousands of routers worldwide and carry out digital fraud, costing businesses and consumers millions. ® Share More about China Cybercrime FBI More like these × More about China Cybercrime FBI NCSC Security Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI China Mobile China telecom China Unicom CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Cyberspace Administration of China Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Great Firewall Hacker Hacking Hacktivism Hong Kong Identity Theft Incident response Information Technology and the People's Republic of China Infosec Infrastructure Security JD.com Kenna Security NCSAM Palo Alto Networks Password Personally Identifiable Information Phishing Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Semiconductor Manufacturing International Corporation Shenzhen Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Uyghur Muslims Vulnerability Wannacry Zero trust Broader topics APAC Government of the United Kingdom United States Department of Justice More about Share POST A COMMENT More about China Cybercrime FBI More like these × More about China Cybercrime FBI NCSC Security Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI China Mobile China telecom China Unicom CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Cyberspace Administration of China Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Great Firewall Hacker Hacking Hacktivism Hong Kong Identity Theft Incident response Information Technology and the People's Republic of China Infosec Infrastructure Security JD.com Kenna Security NCSAM Palo Alto Networks Password Personally Identifiable Information Phishing Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Semiconductor Manufacturing International Corporation Shenzhen Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Uyghur Muslims Vulnerability Wannacry Zero trust Broader topics APAC Government of the United Kingdom United States Department of Justice TIP US OFF Send us news