The **National Cyber Security Centre (NCSC-UK)**, along with international partners, has released a joint advisory detailing the shift in tactics, techniques, and procedures (TTPs) employed by China-nexus cyber actors. This shift involves leveraging large-scale networks of compromised devices, referred to as "covert networks," to conduct cyber operations. **International Collaboration:** The advisory is a collaborative effort involving: * Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC) * Communications Security Establishment Canada’s (CSE’s) Canadian Centre for Cyber Security (Cyber Centre) * Germany Federal Office for the Protection of the Constitution - Bundesamt für Verfassungsschutz (BfV) * Germany Federal Intelligence Service – Bundesnachrichtendienst (BND) * Germany Federal Office for Information Security - Bundesamt für Sicherheit in der Informationstechnik (BSI) * Japan National Cybersecurity Office (NCO) - 国家サイバー統括室 * Netherlands General Intelligence and Security Service - Algemene Inlichtingen- en Veiligheidsdienst (AIVD) * Netherlands Defence Intelligence and Security Service - Militaire Inlichtingen- en Veiligheidsdienst (MIVD) * New Zealand National Cyber Security Centre (NCSC-NZ) * Spain National Cryptologic Centre – Centro Criptológico Nacional (CCN) * Sweden National Cyber Security Centre - Nationellt cybersäkerhetscenter (NCSC-SE) * United States Cybersecurity and Infrastructure Security Agency (**CISA**) * United States Department of Defense Cyber Crime Center (DC3) * United States Federal Bureau of Investigation (**FBI**) * United States National Security Agency (**NSA**) The advisory aims to equip network defenders with the knowledge and tools necessary to defend against these evolving threats. **The Rise of Covert Networks** China-nexus threat actors are increasingly moving away from individually procured infrastructure, opting instead for externally provisioned, large-scale networks of compromised devices. These "covert networks" primarily consist of compromised Small Office Home Office (SOHO) routers, Internet of Things (IoT) devices, and smart devices. These networks, also known as botnets, are strategically used at scale to facilitate malicious cyber activities. **How Covert Networks Operate** Covert networks provide a low-cost, low-risk, and deniable method for connecting across the internet, effectively disguising the origin and attribution of malicious activity. Actors utilize these networks throughout the Cyber Kill Chain, from reconnaissance scans to malware delivery, communication with malware, and exfiltration of stolen data. They also enable anonymous browsing for research on exploitation techniques and victims. **Raptor Train and Integrity Technology Group** Evidence suggests that Chinese information security companies are involved in the creation and maintenance of these covert networks. The network known as **Raptor Train**, which infected over 200,000 devices worldwide in 2024, was controlled by **Integrity Technology Group**. The **FBI** has assessed this company as responsible for computer intrusion activities attributed to the China-based hackers known as Flax Typhoon. **Vulnerable Devices and the KV Botnet** These covert networks often exploit vulnerabilities in SOHO routers, IoT devices (like web cameras and video recorders), firewalls, and Network Attached Storage (NAS) devices. The KV Botnet, used by Volt Typhoon, primarily targeted vulnerable **Cisco** and **NetGear** routers that were "end of life" and no longer receiving security updates. **The Challenge of Indicator of Compromise (IOC) Extinction** **Mandiant Intelligence** highlighted the issue of Indicator of Compromise (IOC) Extinction in a May 2024 blog post. The dynamic nature of these networks, with potentially hundreds of thousands of endpoints used by multiple threat actors, renders traditional network defense strategies, such as static malicious IP block lists, less effective. **Typical Network Topology** While the specific details of each covert network vary, they generally follow a similar structure: * **On-ramp/Entry Node:** The initial point of connection to the network. * **Traversal Nodes:** Multiple compromised devices that forward traffic. * **Exit Node:** The point where traffic exits the network, often in the same geographic region as the target.  **Protective Measures** Defending against attacks originating from covert networks requires a multi-faceted approach. Organizations should follow general cybersecurity best practices and consider the following specific measures: * Implement robust network monitoring and intrusion detection systems. * Keep all devices, including routers and IoT devices, up-to-date with the latest security patches. * Segment networks to limit the impact of a potential compromise. * Enforce strong authentication and access control policies. * Regularly review and update security policies and procedures. Further guidance is available on the **NCSC** website, along with consideration of applicable laws and regulations.