In April, CISA and the UK’s NCSC published a joint advisory co-signed by intelligence and cybersecurity agencies from twelve countries — the United States, United Kingdom, Australia, Canada, Germany, Japan, Netherlands, New Zealand, Spain, and Sweden among them. The document is titled “Defending Against China-Nexus Covert Networks of Compromised Devices.” It describes, with unusual technical specificity, how Chinese state-sponsored actors have restructured the way they conduct cyber operations against Western critical infrastructure.
The advisory received coverage proportionate to its publication date rather than its significance. It deserves more attention than it got.
The Problem With Attributing Traffic to China
The foundational logic of many network defence tools is geographic. Firewall rules block traffic from regions associated with known threat actors. IP reputation systems flag connections from address ranges linked to Chinese, Russian, or Iranian infrastructure. Threat intelligence feeds maintain blocklists of known-bad IPs associated with state-sponsored groups.
This approach has always had limitations. It now has a structural failure mode.
China-nexus threat actors — the advisory specifically names Volt Typhoon and Flax Typhoon, and notes that the networks it describes are likely used by multiple actors simultaneously — have moved away from building or leasing dedicated attack infrastructure. Instead, they operate through what the advisory calls “covert networks”: large pools of compromised devices, predominantly Small Office/Home Office (SOHO) routers and consumer IoT equipment, that serve as multi-hop relay infrastructure for their operations.
The practical effect is significant. An intrusion into a UK energy company that is routed through a compromised broadband router in Manchester, a compromised NAS device in Lyon, and a hacked CCTV camera in Rotterdam does not look like an attack from China. It looks like suspicious traffic from three European IP addresses. The geographic and reputation-based signals that defenders rely on are designed to detect the former; they will not reliably catch the latter.
How the Networks Are Built and Operated
The advisory provides an unusually detailed account of how these covert networks are constructed and maintained.
Threat actors identify vulnerable edge devices — routers past their end-of-life date, IoT devices with default credentials, NAS boxes with unpatched remote access vulnerabilities — and compromise them at scale. The compromised devices are then configured to relay traffic, masking the origin of malicious connections and making attribution meaningfully harder. The networks are not static: compromised devices drop off as they are patched, rebooted, or replaced, and are continuously replaced with newly compromised infrastructure.
The NCSC notes that a single covert network is likely used by multiple distinct threat actor groups simultaneously. This creates an additional analytical problem: observing traffic through a given covert network does not allow defenders to determine which specific threat actor is operating. The infrastructure is shared, and the operations conducted through it may vary from espionage collection to pre-positioning to active intrusion preparation.
Volt Typhoon — the actor extensively documented by CISA, Microsoft, and Five Eyes partners as having pre-positioned capabilities within US and allied critical infrastructure — uses these networks for its pre-positioning operations. Flax Typhoon, which focuses on cyber espionage, uses different covert network infrastructure for its collection activities. The shared methodology reflects a deliberate Chinese doctrine: use disposable, deniable, geographically distributed infrastructure that resists attribution and survives takedown attempts.
Why Takedowns Do Not Solve the Problem
In September 2023, the FBI disrupted a Volt Typhoon botnet comprising compromised home routers — largely Cisco and Netgear devices at end of life. The operation was technically successful: the specific infrastructure was neutralised. Volt Typhoon rebuilt its operational infrastructure relatively quickly and has continued operations. The advisory’s framing reflects this reality: the covert networks are “constantly updated” and replenished, and the underlying pool of vulnerable edge devices available for compromise remains enormous.
This is structurally different from the model of offensive infrastructure that law enforcement has successfully disrupted in the past. Takedowns of ransomware-as-a-service platforms succeed partly because those platforms require specific, identifiable infrastructure — payment portals, leak sites, administrative panels. A botnet composed of an ever-rotating pool of consumer routers has no equivalent chokepoints.
What This Means for Network Defenders
The advisory is careful to note that the threat is not undetectable — only that the standard detection approaches are insufficient. The recommended defences are worth reading in full, but the strategic implications for defenders can be summarised in three points.
Geographic and IP reputation filtering is necessary but not sufficient. Blocking known-bad IPs and high-risk geographies remains valuable. It reduces the attack surface from commodity threat actors and removes low-sophistication intrusion attempts. For state-sponsored actors operating through domestic or allied-nation infrastructure, it provides no meaningful protection. Organisations in critical sectors should not treat geographic filtering as a control against nation-state threats.
Baseline traffic behaviour on edge devices, not just perimeter traffic. The advisory recommends that organisations map and baseline normal traffic from VPN and remote access endpoints, and monitor for anomalous connection patterns from edge devices including SOHO routers where those devices are part of the network perimeter. For enterprise networks, this is primarily relevant to the devices that provide remote access to corporate infrastructure. For OT operators with distributed sites, it is relevant to the industrial networking hardware — including, notably, devices like Siemens RUGGEDCOM — that connect field sites to operational networks.
The vulnerable device pool is partly your own. The NCSC’s observation that covert networks consist primarily of end-of-life SOHO routers and IoT devices with known vulnerabilities has a reflexive implication: if your organisation has end-of-life networking equipment or IoT devices with default credentials on internet-facing segments, those devices are potential recruitment candidates for Chinese covert network infrastructure. This is not merely a theoretical concern. Patching end-of-life devices is often infeasible; replacing them should be treated as a security imperative, not a capital expenditure request.
The Broader Context
The advisory represents the third major public document from Five Eyes and allied partners describing Chinese pre-positioning in critical infrastructure since 2023. The cadence is notable. The intelligence community does not typically publish technically detailed joint advisories unless it believes the threat picture requires urgent, broad awareness.
The progression — from advisories about specific Volt Typhoon techniques, to CISA emergency directives about specific vulnerabilities being exploited, to this advisory describing the broader infrastructure methodology — suggests that partner intelligence services have reached conclusions about the scale and maturity of Chinese pre-positioning that they believe require public disclosure rather than quiet bilateral notifications to affected operators.
For security and risk professionals briefing boards, the framing matters. These are not espionage operations seeking to steal data. The consensus assessment of Volt Typhoon’s purpose — pre-positioning within critical infrastructure to be able to cause disruption at a time of geopolitical escalation — means the risk calculus is different from conventional cyber threats. The goal is not operational now. The goal is to ensure that options exist later.
That is a different kind of risk management problem than the one most boards are currently being asked to consider.
The joint advisory AA26-113A is available in full from CISA and the NCSC.