China-Backed Hackers Industrialize Botnet Operations, Warn UK and US Agencies
The UK's NCSC, alongside US and other agencies, warns that China-nexus threat actors are industrializing botnets of compromised SOHO routers and IoT devices for large-scale, deniable cyber operations.
The UK's National Cyber Security Centre (NCSC-UK), in coordination with cybersecurity agencies in the US and other countries, has issued a joint advisory warning that China-nexus threat actors are systematically industrializing the creation and use of botnets composed of compromised small office and home office (SOHO) routers, IoT devices, and other edge technologies. The advisory, published this week, highlights a strategic shift where Chinese information security companies are now methodically building and maintaining vast pools of covert network endpoints, which are then shared among multiple state-backed threat groups for reconnaissance, malware delivery, and data exfiltration.
According to the advisory, groups such as Flax Typhoon and Volt Typhoon are leveraging these botnets to conduct operations at a scale and with a level of operational security previously unseen. The botnets provide a "low-cost, low-risk, deniable way" to carry out attacks, as the compromised devices allow threat actors to research exploitation techniques, test new tactics, techniques, and procedures (TTPs), and surveil victims without attribution. The advisory notes that some covert networks are even used by legitimate customers for general internet browsing, further complicating efforts to distinguish malicious activity from benign traffic.
The core of these botnets consists of compromised SOHO routers, but the advisory warns that they also include vulnerable IoT devices, web cameras, video recorders, end-of-life routers, firewalls, and network-attached storage devices. The creators and maintainers of these botnets are constantly updating the infrastructure, adding new nodes as old devices are patched or removed, and changing the networks in response to defensive or legal actions. This dynamic nature renders traditional network defense approaches, such as blocking static malicious IP addresses, largely ineffective, as a single threat actor can operate from any one of many covert networks, each with potentially hundreds of thousands of endpoints.
"CISA and its partners are calling out a trend that’s been building for years: the industrialization of botnets," said Matthew Hartman, chief strategy officer at Merlin Group. "Chinese actors are likely leveraging a division of labor, with some groups compromising and maintaining large pools of SOHO routers and consumer IoT devices, then handing off or leasing that access for operations. That model increases both scale and plausible deniability." Hartman noted that while Russian and Iranian groups have used similar tactics, the scale and tempo of Chinese operations are what set this apart and justify a coordinated advisory.
Bradley Smith, senior vice president and deputy CISO at BeyondTrust, drew a parallel between the Chinese operational model and that of initial access brokers in the cybercriminal ecosystem, but with state backing. "Chinese cyber operations have adopted a supply-chain model for offensive infrastructure: dedicated teams or contracted entities compromise and maintain large pools of SOHO routers, IoT devices, and edge equipment, then provision access to specific operational units based on mission requirements," he said. This specialization at each stage — compromise, curation, provisioning, and operational use — makes attribution harder and takedown less effective, as removing one operational user does not affect the underlying infrastructure pool.
The advisory recommends that organizations develop a clear picture of their network edge devices and all assets that should be connecting with them. Organizations should baseline normal connections, such as those from corporate VPNs, while looking out for unusual connections, like one from a consumer broadband range. Larger organizations are advised to consider building geographic IP allow lists, profiling incoming connections based on factors like operating system, time zones, and configuration settings, and implementing zero-trust policies for incoming connections. Organizations most at risk should actively track the activities of China-nexus APTs, conduct threat hunting, and map covert networks reported by threat intelligence sources.
The timing of the advisory reflects the growing maturity and volume of botnet use by Chinese threat actors, rather than a specific new attack. The approach works because SOHO devices and consumer-grade technologies share structural vulnerabilities: default credentials, infrequent patching, no centralized management, and owners unaware their devices are internet-reachable. Concerns over these weaknesses have already prompted the US government to ban the import of new routers made outside the US. The advisory underscores a fundamental shift in the threat landscape, where state-backed actors have industrialized the creation and maintenance of covert networks, making them a persistent and scalable tool for cyber operations.