Hackers Abuse Compromised Routers to Hide China-Linked Cyber Operations
6 min. read 
Published on
China-linked hacking groups are using compromised routers, IoT devices, cameras, firewalls, and other edge systems to hide cyber operations against organizations worldwide. The UK’s National Cyber Security Centre and international partners warn that these “covert networks” help attackers mask their origin, steal sensitive data, keep long-term access, and make investigations harder.
The warning matters because these attacks do not always come from obvious hacker servers. They can appear to come from home routers, small office equipment, or smart devices owned by ordinary users and businesses. That makes blocking a single IP address far less useful than it once was.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The NCSC says China-nexus actors have made a major shift away from individually procured infrastructure and toward large-scale networks of compromised devices. The advisory says most China-nexus threat actors now use these networks, and multiple groups may share the same covert infrastructure.
Everyday devices are becoming attack infrastructure
These covert networks usually contain small office and home office routers, IoT devices, smart devices, cameras, video recorders, firewalls, and network-attached storage systems. Attackers target these devices because many run old firmware, use weak passwords, or stay exposed to the internet for years without proper monitoring.
Once attackers compromise a device, they can route malicious traffic through it. A victim organization may see traffic from a residential or small business connection instead of a suspicious foreign server. That creates confusion for defenders and gives the attacker a cheap way to hide.
The NCSC-led advisory says attackers can use these networks across every stage of an intrusion. That includes scanning targets, delivering malware, communicating with infected systems, researching victims, and exfiltrating stolen data.
What the covert network does
| Stage of attack | How compromised devices help |
|---|---|
| Reconnaissance | Attackers scan targets through residential or small office IP addresses |
| Initial access | Malicious traffic blends with normal internet activity |
| Malware delivery | Payloads can move through relay devices instead of obvious attack servers |
| Command and control | Compromised routers can help hide communications with malware |
| Data theft | Stolen data can leave through rotating nodes, making tracing harder |
| Attribution avoidance | Shared infrastructure makes it harder to link activity to one group |
The advisory also raises a major problem for security teams: indicators can disappear quickly. If defenders block one set of IP addresses, attackers can move through another batch of compromised devices. Google Cloud’s threat team has described this problem as “IOC extinction,” where indicators of compromise lose value because these networks rotate and overlap so quickly.
This means static blocklists alone will not protect organizations. Security teams need better visibility into edge traffic, remote access behavior, VPN activity, and unusual login patterns. They also need dynamic threat intelligence that updates faster than traditional lists.
China-linked groups named in the warning
The advisory connects this wider trend to known China-nexus operations, including Volt Typhoon and Flax Typhoon. It says Volt Typhoon used covert networks to pre-position offensive cyber capabilities on critical national infrastructure, while Flax Typhoon used compromised infrastructure for cyber espionage.
One example is Raptor Train, a botnet that infected more than 200,000 devices worldwide in 2024. The advisory says it was controlled and managed by China’s Integrity Technology Group, which the FBI also linked to computer intrusion activity attributed to Flax Typhoon.
The U.S. Justice Department previously said a court-authorized operation disrupted a botnet used by PRC state-sponsored hackers, and that the FBI continued to investigate Integrity Technology Group and Flax Typhoon intrusion activity.
Why routers are so useful to attackers
Reuters sit at the edge of a network. They connect homes, offices, factories, branch locations, and remote workers to the internet. Many organizations do not monitor these devices as closely as laptops, servers, or cloud accounts.
That makes routers valuable to advanced threat actors. A compromised router can become a relay, a hiding place, or a stepping stone into bigger targets. It can also make malicious activity look like normal traffic from a trusted region or consumer internet provider.
The risk grows when organizations rely on remote access, third-party connections, and exposed edge systems. A single weak device can help attackers reach stronger targets without revealing their real infrastructure.
What organizations should do now
The NCSC says organizations should map and baseline edge device traffic, especially VPN and remote access connections. It also recommends dynamic threat feed filtering that includes known covert network indicators, along with zero trust controls where possible.
Security teams should start with these actions:
- Map all routers, firewalls, VPN systems, and remote access gateways.
- Patch edge devices and remove unsupported hardware.
- Enforce multi-factor authentication for all remote access.
- Restrict admin access to trusted networks.
- Monitor unusual traffic from residential IP ranges.
- Review outbound traffic from VPN, firewall, and proxy systems.
- Use allow lists where business operations permit them.
- Rotate passwords and remove default credentials from all edge devices.
- Hunt for abnormal connections to unfamiliar infrastructure.
- Replace devices that no longer receive vendor security updates.
Large and high-risk organizations should go further. They should apply machine learning-based anomaly detection, geographic profiling, machine certificate verification, and active threat hunting across suspicious SOHO, IoT, and VPN traffic.
Why this changes the defensive playbook
The main lesson is simple: defenders can no longer treat a suspicious IP address as a stable clue. China-linked actors can move through large pools of compromised devices, and different actors may use the same pool at different times.
That makes behavior more important than origin. Security teams should look at what a connection does, what account it touches, what device it uses, and whether it matches normal business activity.
For businesses, this also turns router maintenance into a security priority. Old firmware, exposed admin panels, and forgotten network appliances can help attackers even when the final target sits somewhere else.
FAQ
They are large networks of compromised routers, IoT devices, smart devices, and edge systems that attackers use to hide cyber operations. They work like proxy networks for espionage, malware delivery, command and control, and data theft.
Routers often sit exposed at the edge of networks and may run outdated firmware. Attackers can use them to relay traffic and make attacks appear to come from normal homes or small businesses.
The advisory references China-nexus activity involving groups such as Volt Typhoon and Flax Typhoon. It also discusses Raptor Train, a botnet tied to compromised SOHO and IoT devices.
IP blocklists can help, but they cannot solve the problem alone. These networks rotate devices and share nodes, which means indicators can expire quickly.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages