Hackers can make use of any vulnerable device in an organization’s infrastructure, officials say.
The United States and global partners issued an advisory on Thursday, warning about the threat posed by Chinese regime-backed hackers using online networks of compromised devices to attack governments and organizations.
“These networks are mainly made up of compromised Small Office Home Office (SOHO) routers, as well as … smart devices,” reads the April 23 joint advisory published by the Cybersecurity and Infrastructure Security Agency (CISA).
The CISA alert was issued jointly with the United Kingdom’s National Cyber Security Centre (NCSC-UK) and agencies from Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden.
“The NCSC believes that the majority of China-nexus threat actors are using these networks, that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors,” the advisory said.
Covert networks are a “low-cost, low-risk, deniable way” to connect across the internet while disguising the origin and attribution of malicious activity. Hacker groups sponsored by the Chinese Communist Party (CCP) have used such networks with compromised infrastructure against various targets.
For instance, a Chinese regime-backed threat actor, Flax Typhoon, used a covert network to conduct cyber espionage. Another Chinese hacker group, Volt Typhoon, used it to pre-position offensive capabilities against critical national infrastructure, which allowed hackers to attack their target whenever they wanted.
A compromised network of devices dubbed Raptor Train, which had more than 200,000 devices globally within its network in 2024, was under the management of a Chinese company, according to the advisory. The FBI assessed this company to be responsible for hacking activities linked to Flax Typhoon.
The advisory comes as the Trump administration is cracking down on potential security threats posed to national security by Chinese devices.
Last month, the Federal Communications Commission (FCC) banned the import of all foreign-made commercial routers, a move targeting Chinese-linked brands with security risks.
The decision followed a report published by an executive branch interagency body, which said that allowing foreign routers to dominate the U.S. market created “economic, national security, and cybersecurity risks.”
On March 5, cybersecurity expert Robert Joyce testified in Congress that the Chinese company TP-Link has captured more than 60 percent of the retail market for routers in the United States.
The company dismissed this finding, saying they only account for around 37 percent.
Ricca Silverio, senior partner at TP-Link, which has an office in California, told The Epoch Times that “virtually all routers are made outside the United States, including those produced by U.S.-based companies like TP-Link, which manufactures its products in Vietnam.”
