A dozen allied agencies say China is building covert hacker networks out of everyday routers

U.S. and international government agencies warned Thursday about a “widespread shift” in Chinese hacker methods toward the use of large-scale covert networks that compromise common devices to carry out a variety of attacks.

The advisory details how those networks work, and defensive steps organizations should take.

“Over the past few years there has been a major shift in the tactics, techniques and procedures (TTPs) used by China-nexus cyber actors, moving away from the use of individually procured infrastructure, and towards the use of externally provisioned, large-scale networks of compromised devices,” the warning reads.

The U.K. National Cyber Security Centre, Cybersecurity and Infrastructure Security Agency, National Security Agency, FBI and agencies from Australia, Canada, Germany, Netherlands, New Zealand, Japan, Spain and Sweden joined forces on the advisory.

It says that “multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors. These networks are mainly made up of compromised Small Office Home Office (SOHO) routers, as well as Internet of Things (IoT) and smart devices.”

It continues: “Covert networks are used to connect across the internet in a low-cost, low-risk, deniable way, disguising the origin and attribution of malicious activity.”

Chinese information security companies create and support the networks, evidence suggests, according to the agencies. Hackers use the networks for reconnaissance, malware delivery and stealing information, they said.

Examples of the use of covert networks include activities from groups known as Volt Typhoon to pre-position on U.S. critical infrastructure, and Flax Typhoon to conduct cyber espionage.

An example of a covert network is the botnet Raptor Train, which infected 200,000 devices worldwide. The networks are large, constantly evolving and with new ones being developed constantly.

At a speech this week, NCSC CEO Richard Horne said “we know that China’s intelligence and military agencies now display an eye-watering level of sophistication in their cyber operations.”

Defenses against covert networks aren’t “straightforward,” according to the advisory, but include an assortment of common good cybersecurity practices. The largest and most at-risk organizations should engage in active hunting, tracking and mapping covert networks, using threat reporting to create blocklists and more.

“Working closely with U.S. and international partners, CISA continues to identify and warn organizations of Chinese state-sponsored cyber actors threatening critical infrastructure,” CISA Acting Director Nick Andersen said Thursday. “This advisory informs organizations of how these actors are strategically using numerous, evolving covert networks at scale for malicious cyber activity.”