China-linked hacking groups are increasingly using compromised home routers, smart devices and other edge equipment to mask cyber operations, raising fresh concerns among security agencies over espionage, data theft and long-term access to critical networks.
A coordinated warning issued by cyber authorities across the UK, the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain and Sweden has highlighted a clear shift in tactics. Instead of depending mainly on rented servers, purchased domains or dedicated command infrastructure, threat actors are routing malicious activity through sprawling networks of hijacked devices that are harder to trace, block or attribute.
These covert networks are largely built from small office and home office routers, internet-connected cameras, video recorders, firewalls, network-attached storage systems and other poorly maintained devices. Many are exposed to the internet, no longer supported by vendors, running outdated firmware, or protected by weak credentials. Once compromised, they can serve as relay points that help attackers appear as ordinary local traffic rather than foreign state-linked operators.
The method gives cyber groups several advantages. It reduces the cost of operations, makes attribution more difficult, and allows attackers to rotate infrastructure quickly when defenders identify suspicious activity. Security teams that rely heavily on static lists of malicious IP addresses face a growing problem because infected devices may be patched, replaced or taken offline while new devices are added to the same covert network.
The advisory described this challenge as a form of “indicator extinction”, where technical signs of compromise disappear almost as quickly as they are discovered. That dynamic has made conventional blocking strategies less reliable, particularly for organisations facing nation-state threats. Network defenders are being urged to map and baseline normal traffic patterns, monitor edge devices more closely, limit remote access exposure, and use intelligence-led filtering rather than relying solely on fixed blacklists.
Volt Typhoon and Flax Typhoon are among the groups linked to this pattern of activity. Volt Typhoon has been associated with efforts to pre-position cyber capabilities inside critical infrastructure, while Flax Typhoon has been tied to espionage activity using compromised infrastructure. These groups are part of a wider ecosystem in which multiple actors may use the same covert network, making it harder to separate one campaign from another.
One major example is Raptor Train, a botnet that infected more than 200,000 devices worldwide in 2024. It included routers, cameras, video recorders and other internet-connected equipment, and was linked by investigators to Integrity Technology Group, a company based in China. Another example is the KV Botnet, which was mainly made up of vulnerable Cisco and Netgear routers and was used in activity associated with Volt Typhoon.
The concern for businesses and public agencies is not limited to the infected devices themselves. A compromised router in a home or small office may become a staging point for attacks on government departments, telecommunications providers, transport networks, energy operators or technology companies. By exiting through devices close to the target’s geography, attackers can blend more easily into expected traffic patterns and reduce the chance of detection.
The warning also reflects a broader escalation in state-linked cyber activity. UK security officials have said nationally significant cyber incidents are being handled at a rate of about four a week, with the highest-impact operations increasingly involving state-backed actors or groups aligned with state interests. China, Russia and Iran remain central concerns for western cyber agencies, though China-linked activity has drawn particular attention because of its scale, persistence and use of commercially supported infrastructure.
Organisations are being advised to reduce exposure by keeping router and firewall firmware updated, replacing unsupported equipment, disabling unnecessary management interfaces, enforcing multi-factor authentication, logging remote access activity, and segmenting networks so that compromise of an edge device does not provide easy movement into sensitive systems. Larger targets are being encouraged to conduct active threat hunting, track unusual proxy patterns and assess whether outbound traffic is being routed through suspicious residential or small-business devices.
A coordinated warning issued by cyber authorities across the UK, the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain and Sweden has highlighted a clear shift in tactics. Instead of depending mainly on rented servers, purchased domains or dedicated command infrastructure, threat actors are routing malicious activity through sprawling networks of hijacked devices that are harder to trace, block or attribute.
These covert networks are largely built from small office and home office routers, internet-connected cameras, video recorders, firewalls, network-attached storage systems and other poorly maintained devices. Many are exposed to the internet, no longer supported by vendors, running outdated firmware, or protected by weak credentials. Once compromised, they can serve as relay points that help attackers appear as ordinary local traffic rather than foreign state-linked operators.
The method gives cyber groups several advantages. It reduces the cost of operations, makes attribution more difficult, and allows attackers to rotate infrastructure quickly when defenders identify suspicious activity. Security teams that rely heavily on static lists of malicious IP addresses face a growing problem because infected devices may be patched, replaced or taken offline while new devices are added to the same covert network.
The advisory described this challenge as a form of “indicator extinction”, where technical signs of compromise disappear almost as quickly as they are discovered. That dynamic has made conventional blocking strategies less reliable, particularly for organisations facing nation-state threats. Network defenders are being urged to map and baseline normal traffic patterns, monitor edge devices more closely, limit remote access exposure, and use intelligence-led filtering rather than relying solely on fixed blacklists.
Volt Typhoon and Flax Typhoon are among the groups linked to this pattern of activity. Volt Typhoon has been associated with efforts to pre-position cyber capabilities inside critical infrastructure, while Flax Typhoon has been tied to espionage activity using compromised infrastructure. These groups are part of a wider ecosystem in which multiple actors may use the same covert network, making it harder to separate one campaign from another.
One major example is Raptor Train, a botnet that infected more than 200,000 devices worldwide in 2024. It included routers, cameras, video recorders and other internet-connected equipment, and was linked by investigators to Integrity Technology Group, a company based in China. Another example is the KV Botnet, which was mainly made up of vulnerable Cisco and Netgear routers and was used in activity associated with Volt Typhoon.
The concern for businesses and public agencies is not limited to the infected devices themselves. A compromised router in a home or small office may become a staging point for attacks on government departments, telecommunications providers, transport networks, energy operators or technology companies. By exiting through devices close to the target’s geography, attackers can blend more easily into expected traffic patterns and reduce the chance of detection.
The warning also reflects a broader escalation in state-linked cyber activity. UK security officials have said nationally significant cyber incidents are being handled at a rate of about four a week, with the highest-impact operations increasingly involving state-backed actors or groups aligned with state interests. China, Russia and Iran remain central concerns for western cyber agencies, though China-linked activity has drawn particular attention because of its scale, persistence and use of commercially supported infrastructure.
Organisations are being advised to reduce exposure by keeping router and firewall firmware updated, replacing unsupported equipment, disabling unnecessary management interfaces, enforcing multi-factor authentication, logging remote access activity, and segmenting networks so that compromise of an edge device does not provide easy movement into sensitive systems. Larger targets are being encouraged to conduct active threat hunting, track unusual proxy patterns and assess whether outbound traffic is being routed through suspicious residential or small-business devices.
Topics
Technology