π―China is using networks of hacked devices to launch cyber attacks, making it hard to trace them. This article explains how these networks work and what organizations can do to protect themselves.
Summary
With support from the UK Cyber League, this advisory has been jointly released by the National Cyber Security Centre (NCSC-UK) and international partners, including the Australian Cyber Security Centre (ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), and several other global cybersecurity entities. Its purpose is to equip network defenders with the necessary tools to combat China-nexus cyber actors who leverage large-scale networks of compromised devices, known as covert networks, to conduct their malicious activities.
Introduction
In recent years, there has been a significant shift in the tactics, techniques, and procedures (TTPs) employed by China-nexus cyber actors. They are increasingly moving away from individually procured infrastructure towards utilizing large-scale networks of compromised devices. The NCSC reports that these covert networks are primarily made up of compromised Small Office Home Office (SOHO) routers, Internet of Things (IoT) devices, and other smart devices. Notably, state-sponsored groups like Volt Typhoon have utilized these networks to position offensive cyber capabilities against critical national infrastructure, while Flax Typhoon has employed them for cyber espionage.
Covert Networks
Covert networks facilitate a low-cost, low-risk method for cyber actors to connect across the internet, effectively masking the origin and attribution of their malicious activities. They are used throughout the Cyber Kill Chain, from reconnaissance to malware delivery and data exfiltration. The challenge of attribution is exacerbated by the fact that some of these networks are also used by legitimate customers, making it difficult to discern malicious activity.
Recent evidence suggests that these covert networks are maintained by Chinese information security companies, with the Raptor Train network being a prime example. In 2024, it infected over 200,000 devices worldwide and was controlled by Integrity Technology Group, a company linked to Flax Typhoon's cyber intrusion activities. The KV Botnet used by Volt Typhoon was primarily composed of vulnerable Cisco and NetGear routers, many of which were outdated and no longer receiving security updates. NCSC Director of Operations, Paul Chichester, emphasized the significant threat posed by botnet operations, which exploit vulnerabilities in everyday internet-connected devices, potentially leading to large-scale cyber attacks.
Typical Network Topology
The number of covert networks employed by China-nexus cyber actors is extensive, with new networks frequently being developed. These networks are dynamic; they evolve in response to defensive measures, legal actions, and new exploits targeting various technologies. Understanding the general structure of these networks can assist researchers and defenders in identifying and mitigating threats. A typical covert network consists of entry nodes, traversal nodes, and exit nodes, with traffic being routed through multiple compromised devices before reaching its destination, often in the same geographic region as the target.
Protective Advice
Defending against attacks from covert networks requires tailored strategies based on organizational resources and risk levels. The NCSC recommends the following actions for all organizations: For larger organizations or those at higher risk, additional measures may be warranted, such as: These protective measures should be integrated with compliance to applicable laws and regulations regarding network and data security. Organizations are advised that while these actions can significantly reduce risk, they cannot eliminate it entirely.
Do Now
- 1.Map and understand network edge devices to identify organizational assets.
- 2.Establish a baseline for normal connections, particularly for corporate VPNs.
- 3.Utilize dynamic threat feeds that include covert network infrastructure.
Do Next
- 4.Implement multi-factor authentication for remote connections.
- 5.Applying IP address allow lists for VPN connections.
- 6.Using geographic allow lists and profiling incoming connections based on various factors.
Conclusion
The evolving landscape of cyber threats posed by China-nexus actors underscores the need for robust defensive strategies. By understanding the structure and operation of covert networks, organizations can better prepare to defend against these sophisticated cyber threats. The advisory also highlights the importance of adapting defense mechanisms to the dynamic nature of these networks, where traditional static defenses may no longer be effective due to the extensive and evolving nature of the threat landscape.
The advisory emphasizes the need for organizations to adapt their cybersecurity strategies in response to the dynamic nature of covert networks, which are increasingly being used by China-nexus actors for sophisticated cyber operations.
