A newly issued cybersecurity advisory highlights an evolution in the tactics, techniques and procedures (TTPs) employed by China-Nexus threat actors. The report, released with support from the UK Cyber League and coordinated by the National Cyber Security Centre (NCSC-UK) alongside international partners, sheds light on how Chinese threat actors are relying on large-scale covert networks of compromised devices to conduct malicious cyber operations.
A Strategic Shift in China-Nexus TTPs
In recent years, cybersecurity experts have observed a clear transition in China-Nexus TTPs. Rather than relying on dedicated, individually controlled infrastructure, Chinese threat actors are now leveraging expansive networks of compromised devices, commonly referred to as covert networks or botnets. These networks are primarily composed of Small Office/Home Office (SOHO) routers, Internet of Things (IoT) devices, and other internet-connected hardware.
According to the advisory, the majority of China-Nexus actors are believed to be using such covert networks, with multiple networks operating simultaneously and often shared among different groups. These networks are continuously updated, making them highly adaptable and difficult to track.
Any organization targeted by Chinese threat actors could be affected. For example, the group known as Volt Typhoon has used these covert networks to pre-position cyber capabilities within critical infrastructure, while Flax Typhoon leveraged similar methods for espionage operations.
How Covert Networks Operate
Although botnets are not new, China-Nexus actors are now deploying them at an unprecedented scale and with strategic intent. These covert networks allow attackers to mask their identity, route malicious traffic through multiple nodes, and reduce the risk of attribution.
Typically, an attacker accesses the network via an entry point, or “on-ramp,” and routes activity through numerous compromised devices—called traversal nodes—before exiting near the target. This multi-hop approach obscures the origin of the attack.
These networks support every stage of a cyber operation, from reconnaissance and scanning to malware delivery, command-and-control communication, and data exfiltration. They are also used for general browsing, enabling threat actors to research vulnerabilities and refine TTPs without revealing their identity. The presence of legitimate users on some networks further complicates attribution.
Real-World Examples and Scale
Evidence suggests that some covert networks used by China-Nexus actors are developed and maintained by Chinese cybersecurity firms. One notable example is the “Raptor Train” network, which infected over 200,000 devices globally in 2024. It was reportedly managed by Integrity Technology Group, a company also linked by the FBI to activities associated with Flax Typhoon.
Another example includes the KV Botnet used by Volt Typhoon, which primarily exploited outdated Cisco and NetGear routers. These devices were particularly vulnerable because they had reached “end-of-life” status, meaning they no longer received security updates.
The scale and adaptability of these networks present a major challenge. As Paul Chichester, NCSC Director of Operations, stated: “Botnet operations represent a significant hreat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyberattacks.”
Challenges for Network Defenders
Cybersecurity researchers have long been aware of such threats, but the evolving nature of China-Nexus TTPs introduces new difficulties. A key issue identified by Mandiant Intelligence in May 2024 is “indicator of compromise (IOC) extinction.” Traditional defenses, such as static IP blocklists, are becoming less effective because attackers can operate from vast, constantly changing pools of devices.
As compromised nodes are patched or removed, new ones are quickly added, making these networks highly dynamic. This fluidity undermines conventional detection and mitigation strategies.
Defensive Measures and Best Practices
The advisory outlines several steps organizations can take to defend against China-Nexus covert networks:
For all organizations:
- Maintain a clear inventory of network edge devices.
- Establish baselines for normal network activity, particularly VPN access.
- Monitor for unusual connections, including those from consumer broadband ranges.
- Use dynamic threat intelligence feeds.
- Implement multi-factor authentication for remote access.
For higher-risk organizations:
- Use IP allow lists instead of blocklists for VPN access.
- Apply geographic and behavioral profiling of incoming connections.
- Adopt zero-trust security models.
- Enforce SSL machine certificates.
- Reduce exposure of internet-facing systems.
- Explore machine learning tools to detect anomalies.
For the most at-risk entities:
- Treat China-Nexus covert networks as advanced persistent threats (APTs).
- Conduct active threat hunting for suspicious IP activity.
- Map and monitor known covert networks using threat intelligence.
