You’ve invested in threat feeds, deny lists, and perimeter monitoring. Your team reviews alerts, your VPN is locked down, and you block known bad actors at the firewall. So why have 16 national cyber agencies, including the NCSC, FBI, NSA, and CISA, just published a joint advisory warning that this approach is becoming less reliable?
The answer lies in a quiet but significant shift in how state-sponsored attackers are operating, and it has implications for organisations of every size.
The Playbook Has Changed
For years, China-nexus cyber actors built or procured their own attack infrastructure. Dedicated servers, VPNs, and hosting arrangements that, once identified, could be blocked and tracked.
That’s no longer how they operate.
The NCSC now assesses that the majority of China-nexus threat actors have moved to using large-scale networks of compromised devices, routing their activity through other people’s hardware to obscure where attacks are coming from. These networks are built from devices that are already inside legitimate networks:
- Home routers
- Office firewalls
- IP cameras
- Network-attached storage devices.
One network, known as Raptor Train, infected more than 200,000 devices worldwide. It was controlled and managed by a Chinese information security company, and used by the group known as Flax Typhoon to conduct cyber espionage.
A separate network, the KV Botnet, was used by Volt Typhoon to pre-position offensive capabilities inside critical national infrastructure.
These are not opportunistic attacks. They are deliberate, strategic, and operating at scale.
If your organisation operates in critical national infrastructure, financial services, or government, you are in the target set for both.
Why Your Block List Can’t Keep Up
The traditional response to a known threat actor is to block the IP addresses they use. It’s simple, auditable, and it works, when the attacker is using a fixed or predictable set of infrastructure.
Covert networks break that model entirely.
When an attack can arrive from any one of hundreds of thousands of constantly rotating IP addresses, spread across compromised consumer routers and IoT devices in dozens of countries, a static deny list becomes largely ineffective. The cyber security industry has a name for this: IOC Extinction. As old devices are patched, taken offline, or replaced, new ones are recruited into the network. The pool of potential source addresses never shrinks, it just changes.
This is compounded by the fact that some of these networks also carry legitimate traffic, making it harder still to separate malicious connections from normal ones based on IP address alone.
If your current network defence relies primarily on blocking known bad IPs, this advisory is a direct signal that your detection strategy needs to evolve alongside the threat.
The Devices Being Used Are Ones You Recognise
This is not abstract infrastructure sitting in a data centre somewhere. The KV Botnet was built largely from end-of-life Cisco and NetGear routers, hardware that was still connected, still routing traffic, but no longer receiving security patches from its manufacturer.
That’s the common thread across almost every covert network documented in this advisory: not sophisticated zero-days against hardened targets, but outdated, unpatched, or simply forgotten devices on the network perimeter.
End-of-life hardware is not just a compliance concern. In this threat environment it is a potential recruitment point into a covert attack network, and one your current monitoring may not flag. If you haven’t recently [scanned for vulnerable infrastructure] on your network edge, that’s a gap worth closing sooner rather than later.
What To Do, Depending on Where You Are
The NCSC advisory structures its protective advice across three levels, and it’s worth being honest about which one applies to your organisation.
For all organisations, the starting point is visibility:
- Map your network edge devices and develop a clear picture of what should be connecting to them
- Baseline normal connections to your corporate VPN, if you're seeing traffic from consumer broadband ranges you wouldn't expect, investigate it
- Implement multi-factor authentication for all remote access if you haven't already
- Leverage dynamic threat feeds that include covert network infrastructure, rather than relying on static block lists
For larger or higher-risk organisations, the shift from deny lists to allow lists is worth serious consideration:
- Restrict VPN access to expected IP ranges rather than trying to block known bad addresses
- Enforce machine certificates for SSL connections
- Use geographic profiling and connection behaviour to flag anomalies
- Apply zero trust architecture consistently, it significantly reduces the impact of a covert network gaining an initial foothold
For organisations facing the highest levels of threat, including those operating essential services, treat China-nexus covert networks as APTs in their own right:
- Hunt actively for connections from IP addresses associated with SOHO routers and IoT devices
- Use dynamic blocklists updated from live threat feeds rather than static lists
- Use NetFlow data to identify and map network nodes before they are used against you
- If you want to understand how your organisation would hold up against this level of adversary, that's precisely what red team engagements are designed to surface
The Wider Picture
This advisory carries unusual weight. Sixteen agencies across the UK, US, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden have aligned on a single document. That level of coordination reflects a shared assessment that the threat is significant, consistent, and not going away.
The good news is that the defensive steps are well-defined. This is not a situation where the industry is scrambling to understand what’s happening. The question worth asking now is whether your current defences would tell you if a covert network was already using your perimeter to route traffic.
If you want to understand your current exposure to covert network traffic, or identify vulnerable devices on your network edge before someone else does, we can help you scan for vulnerable infrastructure and penetration test your network edge to see what’s actually visible from the outside.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.
About the author
