British businesses are being urged to enhance their vigilance against a China-linked hacking strategy that exploits everyday devices for espionage. The UK’s National Cyber Security Centre (NCSC), along with agencies from nine other countries, has issued a warning about persistent attempts by Beijing-backed groups to compromise equipment such as wifi routers to launch cyber-attacks.
These operations, known as “covert networks” or “botnets,” typically target vulnerable devices—such as those lacking software updates or outdated models—as a base for activities like surveillance and data theft. The NCSC noted that this technique is employed by the majority of China-linked hackers.
Sophisticated Cyber Operations
Richard Horne, chief executive of the NCSC, stated on Wednesday that China’s intelligence and military agencies possess an “eye-watering level of sophistication in their cyber-operations.” Speaking at the NCSC’s annual conference in Glasgow, he emphasized: “We face more than just a capable cyber-threat but a peer competitor in cyberspace.”
The advisory, published in collaboration with cyber-agencies from the US, Australia, Canada, and Germany, warns of a “major shift” in Chinese tactics, now using internet-connected devices to obscure the origin of attacks. Routers are the most commonly hijacked devices, but printers and web cameras are also vulnerable.
How the Attacks Work
Security officials compare compromised routers to virtual private networks, which allow users to mask their location. A household’s wifi router could be used as a conduit to attack an unrelated major company. While the NCSC guidance is not directed at the general public who might unknowingly provide a launchpad for espionage, it urges companies and organizations to take specific steps.
These include mapping out IT systems, including connections to consumer broadband networks, implementing multifactor authentication for remote access, and limiting network connections to external devices.
Covert Networks and Threat Actors
The NCSC stated in its advisory: “The NCSC believes that the majority of China-nexus threat actors are using these networks, that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors. These networks are mainly made up of compromised small office home office routers, as well as internet of things and smart devices.”
A China-backed group, known as Volt Typhoon to Western authorities, has been identified as a user of covert networks and has infiltrated key US infrastructure, including rail, aviation, and water systems. The NCSC added that these covert networks are now built and maintained by private Chinese companies. In one instance, a Chinese business created a covert network by infecting 200,000 devices worldwide.
Earlier this year, Google announced it had disrupted a “residential proxy” network used by cybercrime groups and state actors to launch attacks from hacked household and IT devices.
