United States
Australia
United Kingdom
Europe
New Zealand
Canada
The National Security Agency said Thursday it has joined cyber authorities in the United Kingdom and Australia to publish joint guidance warning that China-linked hackers are increasingly relying on large, externally managed covert networks built from compromised devices to mask their operations.
In a cybersecurity advisory released with the UK’s National Cyber Security Centre and the Australian Signals Directorate’s Australian Cyber Security Centre, the NSA describes a growing ecosystem of dynamic botnets that harness hijacked small office and home office equipment—such as routers, firewalls and network-attached storage—as well as internet-of-things hardware including webcams, video recorders and other smart devices. By routing malicious traffic through these networks at scale, threat actors can obscure where attacks originate, reduce costs and risk, and complicate attribution.
According to the advisory, the covert infrastructure used by multiple China‑nexus actors is constantly refreshed and reconfigured in response to law enforcement actions, defensive measures, software updates and newly discovered exploits. That churn, combined with the fact that ordinary users also traverse the same networks and devices, undermines traditional defense models that rely on enumerating known bad infrastructure or tightly linking activity to an identified operator. The agencies say that while specific networks change frequently, many share a common architecture, and understanding those shared characteristics can help defenders spot and counter intrusions.
The guidance outlines how these covert networks are typically assembled and employed as access vectors and pivots during intrusions, marking what the agencies describe as a broad shift away from infrastructure individually procured and controlled by a single actor. It also offers concrete mitigations for organizations of all sizes, with steps tailored to reduce the risk that devices will be conscripted into a botnet or used to penetrate enterprise environments.
The joint advisory emphasizes that the threat is twofold: entities targeted by China‑nexus operators may see attacks funneled through these covert networks, and owners of vulnerable equipment may unknowingly contribute to them. The agencies urge cybersecurity analysts and network defenders—particularly those protecting national security assets, the U.S. Department of War and the Defense Industrial Base—to implement the protections and mitigations detailed in the document.
The NSA directed organizations to consult the full advisory for technical specifics and recommended defenses, and pointed readers to its broader library of cybersecurity guidance for additional resources. The agency said the effort reflects an ongoing push to help owners and operators harden edge devices and reduce the pool of hardware available for abuse by sophisticated cyber actors.
The advisory is available on U.S. government websites. For additional information and technical guidance, the NSA referred readers to its cybersecurity advisories library.
