The United States and global partners issued an advisory on Thursday, warning about the threat posed by Chinese regime-backed hackers using online networks of compromised devices to attack governments and organizations.
“These networks are mainly made up of compromised Small Office Home Office (SOHO) routers, as well as … smart devices,” reads the April 23 joint advisory published by the Cybersecurity and Infrastructure Security Agency (CISA).
The CISA alert was issued jointly with the United Kingdom’s National Cyber Security Centre (NCSC-UK) and agencies from Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden.
“The NCSC believes that the majority of China-nexus threat actors are using these networks, that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors,” the advisory said.
Covert networks are a “low-cost, low-risk, deniable way” to connect across the internet while disguising the origin and attribution of malicious activity. Hacker groups sponsored by the Chinese Communist Party (CCP) have used such networks with compromised infrastructure against various targets.
For instance, a Chinese regime-backed threat actor, Flax Typhoon, used a covert network to conduct cyber espionage. Another Chinese hacker group, Volt Typhoon, used it to pre-position offensive capabilities against critical national infrastructure, which allowed hackers to attack their target whenever they wanted.
A compromised network of devices dubbed Raptor Train, which had more than 200,000 devices globally within its network in 2024, was under the management of a Chinese company, according to the advisory. The FBI assessed this company to be responsible for hacking activities linked to Flax Typhoon.
The advisory comes as the Trump administration is cracking down on potential security threats posed to national security by Chinese devices.
Last month, the Federal Communications Commission (FCC) banned the import of all foreign-made commercial routers, a move targeting Chinese-linked brands with security risks.
The decision followed a report published by an executive branch interagency body, which said that allowing foreign routers to dominate the U.S. market created “economic, national security, and cybersecurity risks.”
On March 5, cybersecurity expert Robert Joyce testified in Congress that the Chinese company TP-Link has captured more than 60 percent of the retail market for routers in the United States.
The company dismissed this finding, saying they only account for around 37 percent.
Ricca Silverio, senior partner at TP-Link, which has an office in California, told The Epoch Times that “virtually all routers are made outside the United States, including those produced by U.S.-based companies like TP-Link, which manufactures its products in Vietnam.”
Vulnerable Devices
In the CISA advisory, the agencies said that while covert networks mostly include compromised SOHO routers, the hackers can use any vulnerable device in an organization’s infrastructure, which can be exploited at scale.
“Raptor Train was made up of thousands of SOHO routers and IoT devices, such as web cameras and video recorders, as well as firewalls and Network Attached Storage (NAS) devices. The KV Botnet used by Volt Typhoon was mainly made up of vulnerable Cisco and NetGear routers.”
On April 8, the FCC said it wanted to ban all Chinese labs from testing electronic devices, such as cameras and smartphones, for use in the United States. According to the agency, a significant share of all electronics in the United States is tested in Chinese labs.
On April 9, the FCC issued a notice highlighting security concerns about Chinese-linked telecommunications companies operating data centers in the United States.
The 2026 Annual Threat Assessment report of the U.S. Intelligence Community warned that China is the “most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.”
According to the report, China, as well as threat actors from Russia, Iran, North Korea, and other ransomware groups, “have the ability to pre-position or execute disruptive and destructive attacks against U.S. critical infrastructure and other targets. They continue to pour resources into operations to compromise U.S. systems and core global IT resources.”
Jill McLaughlin contributed to this report.
Friends Read Free
Copy
Facebook
Tweet
