The landscape of cybersecurity is constantly evolving, and recent advisories from major global cybersecurity agencies have shed light on a particularly alarming trend: the use of covert networks by actors linked to China for espionage and offensive operations. On April 24, 2026, several cybersecurity organizations, including the UK’s National Cyber Security Centre (NCSC), issued a joint advisory that highlights the growing sophistication of these threats.

The Emergence of Covert Networks

In recent years, cybersecurity experts have observed a troubling increase in the use of compromised devices to create covert networks that can be utilized for nefarious purposes. These networks often consist of small office/home office (SOHO) routers, Internet of Things (IoT) devices, and various smart gadgets that are either compromised or intentionally manipulated to serve the interests of malicious actors.

One notable example is the Raptor Train operation, which successfully infected over 200,000 devices in 2024. This operation is just one in a series of campaigns that have been attributed to Chinese-linked threat actors. The advisory from cybersecurity agencies emphasizes that such operations are not isolated incidents but part of a broader strategy employed by these actors to conduct espionage and offensive cyber operations.

Understanding the Threat Landscape

The advisory issued by global cybersecurity agencies outlines the characteristics of these covert networks and the actors behind them. These networks are often described as botnet-like in nature, meaning they consist of a large number of compromised devices that can be controlled remotely. The scale and complexity of these operations raise significant concerns for national security and the integrity of private organizations worldwide.

Connections to Chinese Companies

One of the more troubling aspects of this advisory is the connection to specific Chinese companies. Integrity Technology Group has been identified as a key player in the management of these covert networks. This company has been linked to hacktivist groups, such as Flax Typhoon, which have been implicated in various cyberattacks and espionage efforts targeting organizations in multiple countries.

These connections raise questions about the extent of state-sponsored cyber activities and the implications for international relations. The use of private companies to carry out cyber operations adds a layer of complexity to attribution and accountability, making it difficult for affected nations to respond effectively.

Recognizing the Patterns of Attack

The advisory emphasizes that the networks being utilized by these threat actors are not only extensive but also interconnected. Multiple parallel networks are shared across various actor groups, indicating a high level of coordination among different cybercriminal organizations. This interconnectedness allows for a more robust and resilient operational structure, making it even more challenging for cybersecurity defenders to identify and neutralize these threats.

Indicators of Compromise

To combat these sophisticated threats, cybersecurity agencies have provided practical steps for defenders to detect and counteract the activities of these covert networks. Some of the key indicators of compromise include:

• Unusual traffic patterns originating from SOHO routers and IoT devices.
• Unrecognized devices or anomalies within a network.
• Frequent firmware updates or configurations that are not initiated by the device owner.
• Unusual outbound connections to known malicious IP addresses.

By monitoring these indicators, organizations can take proactive measures to safeguard their networks against potential intrusions.

Mitigation Strategies

In addition to recognizing the indicators of compromise, the advisory outlines several mitigation strategies that organizations can implement to protect their systems from these covert networks:

• Regular Firmware Updates: Ensuring that all devices, especially SOHO routers and IoT gadgets, are regularly updated can help close security vulnerabilities.
• Network Segmentation: Dividing networks into smaller segments can limit the spread of an attack and reduce the risk of widespread compromise.
• Strong Authentication Practices: Implementing multi-factor authentication and strong password policies can significantly enhance security.
• Continuous Monitoring: Employing advanced monitoring tools can help detect unusual activity and respond promptly to potential threats.
• User Education: Training employees about cybersecurity best practices can empower them to recognize and report suspicious activities.

These strategies are not exhaustive, but they serve as a foundational approach to building a more resilient cybersecurity posture.

The Role of International Collaboration

Given the global nature of the threats posed by these covert networks, international collaboration is essential in combating cybercrime. Cybersecurity agencies across the world must work together to share intelligence, develop joint response strategies, and establish common frameworks for understanding and addressing cyber threats.

Information Sharing Initiatives

Initiatives such as the Cybersecurity Information Sharing Act (CISA) in the United States and similar legislation in other countries aim to facilitate the sharing of information about cyber threats and vulnerabilities. By fostering a culture of collaboration among nations, organizations can collectively enhance their defenses against the sophisticated tactics employed by actors linked to China and other malicious entities.

Conclusion

The advisory issued by global cybersecurity agencies serves as a stark reminder of the evolving threat landscape posed by covert networks linked to China. Organizations must remain vigilant and proactive in their cybersecurity efforts to mitigate the risks associated with these sophisticated operations. By implementing robust security measures, fostering international collaboration, and maintaining awareness of the threat landscape, it is possible to defend against these insidious threats and protect sensitive information from falling into the wrong hands.

As the cyber environment continues to change, staying informed and prepared will be crucial for both public and private sector organizations in their quest to maintain cybersecurity integrity in an increasingly interconnected world.