CISA Warns China-Linked Hackers Hide Behind Routers
CISA Warns China-Linked Hackers Hide Behind Routers
WASHINGTON - CISA and allied cyber agencies warned that China-nexus cyber actors are routing espionage and offensive operations through covert networks built from compromised routers, Internet of Things devices, firewalls and storage appliances.
The April 23 advisory, issued by the U.K. National Cyber Security Centre with CISA, the FBI, the NSA and other international partners, says the shift makes a basic defensive habit less reliable: blocking a known malicious IP address after it appears in logs.
What Happened
CISA's posted advisory says China-nexus actors have moved away from relying mainly on individually procured infrastructure and toward externally provisioned, large-scale networks of compromised devices. The advisory says those networks are mainly made up of Small Office Home Office routers, IoT devices and smart devices.
The agencies call the systems covert networks. In plain English, that means a botnet of hacked edge devices that lets an operator bounce traffic through victims before reaching a target. CISA says actors have used those networks for reconnaissance scans, malware delivery, command and control, stolen data exfiltration and deniable internet browsing.
The technical problem is geography and churn. The advisory says an actor typically enters through an on-ramp node, passes traffic through compromised traversal devices, then exits from another compromised device near the target. That exit traffic can look like it came from an ordinary consumer or business connection.
NCSC-UK says that model creates "IOC extinction," meaning indicators of compromise can disappear as nodes are patched, replaced or removed. The agency's executive summary says the networks are constantly refreshed and can share nodes across multiple threat groups, which weakens static defenses.
CISA says one network known as Raptor Train infected more than 200,000 devices worldwide in 2024 and was controlled and managed by Chinese company Integrity Technology Group. The advisory says the FBI assessed that company was responsible for computer intrusion activity attributed to China-based hackers known as Flax Typhoon. CISA also says the KV Botnet used by Volt Typhoon was mainly made up of vulnerable Cisco and NetGear routers.
Many of those edge devices were exposed because they were end of life, according to the advisory. That means manufacturers no longer provided routine updates or security patches, leaving known flaws available for repeat exploitation.
The advisory also warns that some covert networks are used by legitimate customers. That matters for defenders because malicious activity can sit beside normal browsing or business traffic inside the same rented or compromised infrastructure, making attribution and blocking decisions slower.
The Response
U.S. and allied agencies are telling organizations to treat edge-device visibility as a security priority, not an IT inventory chore. NCSC-UK recommends that organizations map network edge devices, establish a baseline for normal VPN and remote-access connections, adopt dynamic threat feeds, and require multifactor authentication for remote connections.
For larger or higher-risk organizations, the advisory points to IP allow lists, geographic profiling, zero trust controls, machine certificate verification, reduced internet-facing exposure and anomaly detection. The practical message is that defenders need to understand what should be connecting before they can spot what should not be there.
CISA's related August 2025 advisory, AA25-239A, says PRC state-sponsored cyber threat actors are targeting telecommunications, government, transportation, lodging and military infrastructure networks globally. That advisory says the actors often focus on major telecommunications routers and provider edge or customer edge routers, then use compromised devices and trusted connections to move into other networks.
The China Ministry of Foreign Affairs has rejected U.S. attribution in previous Volt Typhoon allegations. In October 2024, spokesperson Mao Ning said Chinese institutions had accused the United States of spreading disinformation about Volt Typhoon and using cyber claims to frame China. Her remarks said China "opposes and fights hacking activities" and urged the United States to stop what Beijing called cyberattacks and smears.
For small organizations, the guidance raises a cost problem. A forgotten router or camera can become useful to a foreign intelligence service even when the device owner is not the intended target. For large organizations, the risk is different: a nearby compromised device can help an actor approach a VPN, supplier portal or exposed service from traffic that looks less suspicious than a server in a known bad data center.
That denial does not change the operational guidance in the new advisory. CISA and its partners are not asking defenders to accept a political conclusion before acting. They are describing a pattern of traffic routing, device compromise and infrastructure churn that can be hunted in logs and controlled through access policy.
What People Are Saying
"Over the past few years there has been a major shift in the tactics, techniques and procedures (TTPs) used by China-nexus cyber actors, moving away from the use of individually procured infrastructure, and towards the use of externally provisioned, large-scale networks of compromised devices." - CISA advisory AA26-113A
"Covert networks are used to connect across the internet in a low-cost, low-risk, deniable way, disguising the origin and attribution of malicious activity." - CISA advisory AA26-113A
"The threat is a dynamic, low-cost, deniable infrastructure model that can be rapidly re-shaped, rendering traditional static IP block lists ineffective." - U.K. National Cyber Security Centre executive summary
"China condemns such irresponsible moves by the US, and urges the US to immediately stop its cyberattacks globally and stop smearing China by using cybersecurity issues." - Mao Ning, China Ministry of Foreign Affairs spokesperson, October 15, 2024
The Big Picture
The advisory turns a consumer-hardware problem into a national-security concern. CISA and its partners are describing ordinary routers, cameras, recorders, firewalls and network-attached storage devices as disposable relay points for state-linked operations.
For U.S. organizations, the next test is whether security teams can see their edge devices clearly enough to make old routers, forgotten appliances and unusual VPN connections visible. The agencies' guidance points toward a defensive model built around asset control, identity checks and behavior detection, rather than a model that waits for yesterday's bad IP address to appear again.
