Defending Against China-Nexus Covert Networks of Compromised Devices
Executive Summary
China-nexus cyber actors have transitioned from using individually procured infrastructure to operating large-scale covert networks - botnets built from compromised routers and other edge devices. These networks are utilized for each phase of the Cyber Kill Chain, from reconnaissance and malware delivery to command and control and data exfiltration against targets of espionage and offensive cyber operations.
According to the report, the threat is a dynamic, low-cost, deniable infrastructure model that can be rapidly reshaped, rendering traditional static IP block lists ineffective.
Key Threats
Covert networks enable China-nexus actors to launch cyber attacks against UK organizations, stealing sensitive data and potentially disrupting critical services. The report indicates that because the covert networks are constantly refreshed and share nodes across multiple threat groups, defenders face “IOC extinction” - indicators of compromise disappear as quickly as they are discovered. Consequently, organizations that rely solely on static defenses risk being bypassed, while those that adopt adaptive, intelligence-driven measures can better mitigate the risk.
Defensive Measures
The NCSC and the Cyber League, in conjunction with the co-sealing agencies, have developed advice specifically to combat this threat. This advisory contains guidance for small, medium, and large organizations.
- It is recommended that all organizations map and baseline their edge device traffic, especially VPN and remote access connections.
- Adopt dynamic threat feed filtering that includes known covert network indicators.
- Implement two-factor authentication for remote access and, where possible, apply zero trust controls, IP allow lists, and machine certificate verification.
Furthermore, larger or high-risk entities should consider:
- Active hunting of suspicious SOHO/IOT traffic.
- Geographic profiling.
- Machine learning-based anomaly detection.
Promptly applying the recommended mapping, baseline, and zero trust measures is essential to reduce organizational exposure to China-nexus covert network attacks and to protect critical assets.