NCSC-UK Warns of China-Linked Covert Networks Using Hijacked IoT Devices

The UK’s National Cyber Security Centre (NCSC), along with international partners, has issued a joint warning about a growing trend among China-linked hackers: the use of large-scale proxy networks made up of hijacked consumer devices to mask their activities.

This advisory, co-signed by cybersecurity agencies from the U.S., Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden, reveals that most Chinese hacking groups have shifted away from manually acquiring infrastructure to building massive botnets using compromised devices—especially small office/home office (SOHO) routers, IoT cameras, video recorders, and network-attached storage (NAS) units.

These botnets enable attackers to route traffic through chains of hijacked devices, entering the network at one point, passing through multiple intermediate nodes, and exiting near the target, effectively evading geographic detection.

“The NCSC believes that the majority of China-nexus threat actors are using these networks […], that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors,”

“These networks are mainly made up of compromised Small Office Home Office (SOHO) routers, as well as Internet of Things (IoT) and smart devices.”

Covert network basic setup
Covert network basic setup (NCSC-UK)

One notable example is the Raptor Train botnet, which infected over 260,000 devices globally in 2024. Linked to the Chinese state-sponsored Flax Typhoon hacking group and the sanctioned Chinese firm Integrity Technology Group (designated in January 2025), the FBI disrupted Raptor Train in September 2024 with assistance from Black Lotus Labs. The botnet was associated with campaigns targeting U.S. and Taiwanese entities in sectors like defense, government, telecommunications, and higher education.

A separate network, known as KV-Botnet, was reportedly used by the Chinese state-backed Volt Typhoon threat group. It primarily consisted of outdated Cisco and Netgear routers that had stopped receiving security updates. The FBI took down KV-Botnet in January 2024 by wiping malware from infected devices. However, Volt Typhoon attempted to revive it in November 2024 after an initial failed effort in February.

“Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks,” said Paul Chichester, Director of Operations at NCSC-UK.

Western intelligence agencies behind the advisory caution that traditional defenses—such as blocking static lists of malicious IP addresses—are becoming less effective as these botnets continuously add new compromised nodes.

Organizations of all sizes are advised to:

  • Implement multifactor authentication
  • Map network edge devices
  • Use dynamic threat feeds that include known covert network indicators
  • Apply IP allowlists where possible
  • Deploy zero-trust controls
  • Utilize machine certificate verification

Related Articles

Back to top button