🎯Basically, hackers in China are using hidden networks to launch attacks without being easily detected.
What Happened
On April 23, 2026, a joint security advisory from the U.S. and allied nations revealed that Chinese government hackers are increasingly employing covert networks of compromised devices to conduct cyberattacks. These networks, often made up of hacked small office and home office (SOHO) routers and IoT devices, allow attackers to obscure their origins, complicating detection and response efforts.
The Threat
The advisory highlights that this tactic is not new but is now being used strategically and at scale by China-linked cyber actors. Notably, the KV Botnet was utilized in the Volt Typhoon attacks targeting U.S. critical infrastructure, while the Raptor Train botnet—comprising over 200,000 devices—was involved in attacks against Taiwan. These botnets enable extensive reconnaissance, malware deployment, and data exfiltration without revealing the attackers' identities.
Who's Behind It
The advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA, and the Department of Defense’s Cyber Crime Center, in collaboration with intelligence agencies from Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden. This collaborative effort underscores the global concern regarding the sophistication and scale of these cyber threats.
Tactics & Techniques
Chinese cyber actors are reportedly leveraging existing vulnerabilities in consumer-grade routers and IoT devices to create these covert networks. This method not only conceals their activities but also allows for a significant number of endpoints to be compromised, making traditional defense strategies—such as static IP blocklists—less effective.
Defensive Measures
In light of these developments, the advisory recommends several defensive measures: As the landscape of cyber threats evolves, organizations must adapt their security strategies to counter these sophisticated tactics effectively. The advisory warns that the dynamic nature of these covert networks, where new devices are continuously added, complicates the defense landscape further.
Do Now
- 1.Network Mapping: Understand normal connectivity patterns within your organization.
- 2.Threat Intelligence: Stay informed about current botnet activities and vulnerabilities.
- 3.Multi-Factor Authentication: Require MFA for remote connections to enhance security.
Do Next
- 4.Access Controls: Implement IP allowlisting and segment networks to limit exposure.
- 5.Zero-Trust Principles: Adopt a zero-trust approach to network security, ensuring that no device is trusted by default.
🔒 Pro insight: The emergence of covert networks indicates a shift in attack paradigms—organizations must enhance their detection capabilities against dynamic threats.
