| The Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre, in collaboration with other federal and international partners, released this Joint Cybersecurity Advisory to provide network defenders with vital tools and resources to combat the threat posed by Chinese government-linked threat actors’ use of covert networks of compromised devices. |
| The advisory outlines tactics, techniques, and procedures associated with Chinese government-linked covert networks built from compromised small-office-home-office routers, Internet of Things, and smart devices. It explains how threat actors leveraging these covert networks, including those previously tied to groups such as Volt Typhoon and Flax Typhoon, use large scale botnet infrastructure to obscure attribution and enable reconnaissance, intrusion, command-and-control, and data exfiltration. |
| The advisory provides tailored defensive guidance for cyber defenders to identify, baseline, and mitigate activity originating from dynamic, deniable covert networks to reduce the risk of organizational compromise. |
| CISA and partners recommend the following steps to protect against this threat: |
| Map and understand network edge devices, developing a clear understanding of organizational assets and what should be connected to them. Baseline normal connections, especially to corporate VPNs or other similar devices. Maintain log collection and storage solutions to assist with detecting and responding to unauthorized access attempts. Implement multi-factor authentication for remote connections. |
| For more information on Chinese government-linked threat actor activity, please visit CISA’s China Threat Overview and Advisories page. CISA also provides helpful resources on the Edge Device Security webpage. |