New cybersecurity risks hide in routers and China-linked covert networks, agencies warn

Cybersecurity agencies from all over the world are warning businesses and organizations to better defend against cyberattacks and cyber threats from covert networks used by Chinese state-sponsored hackers.

The UK’s National Cyber Security Centre (NCSC) and 15 international partners from around the world have issued a new advisory detailing how to defend against China-linked actors who try to obscure their malicious cyber activities via so-called “covert networks.”

These kinds of networks consist of internet-connected edge devices that have been compromised, such as routers, Internet of Things (IoT) devices, and smart devices. Covert networks are being used by China-linked hackers to disguise the origins of their cyberattacks, making detection and attribution more difficult.

These networks are being leveraged at scale to target critical sectors globally, steal sensitive data, maintain persistent access, and support attacks on critical infrastructure, the agencies claim.

The new guidance outlines practical steps organizations can take to reduce exposure, including better monitoring network activities, enabling multi-factor authentication (MFA), implementing zero-trust policies, and restricting unnecessary connections to external infrastructure.

It also urges defenders to focus on detecting suspicious behavior rather than relying solely on indicators tied to known infrastructure.

Paul Chichester, Director of Operations at the NCSC, said the guidance is intended to help network defenders adapt to a shift in tactics by threat actors seeking to obscure their operations and avoid attribution.

“Our new joint advisory consolidates insights and proactive advice from across the international cyber security community to help network defenders combat the use of covert networks,” he says in a statement.

“The NCSC will not shy away from shining a light of these techniques, and we call on organizations to act now to better defend their critical assets,” Chichester continues.

The announcement of the advisory comes amid increasing concerns over state-backed cyber threats. According to NSCS officials, the agency handles around four nationally significant cybersecurity incidents per week. In most cases, the attackers appear to be originating from hostile states with an offensive cyber program rather than financially motivated cybercriminals.

The advisory has been issued by cybersecurity agencies and partners from Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, Sweden, the United Kingdom, and the United States.