Full Report
The joint warning describes a major tactical shift by Chinese-linked hackers and lays out what organizations should do about it. The post A dozen allied agencies say China is building covert hacker networks out of everyday routers appeared first on CyberScoop.
Analysis Summary
# Threat Actor: China-Nexus Cyber Actors (Volt Typhoon / Flax Typhoon)
## Attribution & Identity
- **Actor Identification:** State-sponsored cyber actors linked to the People’s Republic of China (PRC).
- **Associated Groups/Aliases:**
- **Volt Typhoon:** Known for pre-positioning on critical infrastructure.
- **Flax Typhoon:** Known for cyber espionage activities.
- **Support Entities:** Evidence suggests Chinese information security companies create and support the infrastructure used by these actors.
## Activity Summary
The joint advisory (AA26-113A) highlights a "widespread shift" in tactics toward using large-scale, externally provisioned covert networks. Rather than using individually procured infrastructure, these actors are leveraging massive botnets of compromised consumer devices to mask their origin. A prominent recent example is the **Raptor Train** botnet operation.
## Tactics, Techniques & Procedures
- **Covert Networks (Proxy Cells):** Use of large-scale networks comprised of compromised Small Office/Home Office (SOHO) routers, IoT, and smart devices.
- **Infrastructure Obfuscation:** Using these networks to disguise the origin and attribution of malicious activity in a low-cost, deniable way.
- **Multi-Tenant Infrastructure:** A single covert network may be shared and used by multiple distinct threat actors.
- **Operational Tasks:**
- Reconnaissance
- Malware delivery
- Data exfiltration/Information theft
- **Pre-positioning:** Historically used by Volt Typhoon to maintain access to critical infrastructure for potential future disruption.
## Targeting
- **Sectors:** Critical infrastructure, government agencies, and information technology.
- **Geography:** Global, with specific focus on the United States and allied nations (including UK, Australia, Canada, Germany, Netherlands, New Zealand, Japan, Spain, and Sweden).
- **Victims:** 200,000 devices worldwide were compromised in the Raptor Train botnet; targets include U.S. critical infrastructure.
## Tools & Infrastructure
- **Malware families used:** Not explicitly named in the text beyond the operational infrastructure name ("Raptor Train").
- **Infrastructure:**
- **SOHO Routers:** Everyday consumer routers found in homes and small offices.
- **IoT/Smart Devices:** Internet-connected appliances and hardware.
- **Botnets:** Large-scale compromised device clusters (e.g., Raptor Train) used as C2 proxies.
## Implications
Strategic shift toward "eye-watering levels of sophistication." The use of these networks makes attribution and defense significantly more difficult because malicious traffic appears to originate from legitimate, domestic IP addresses (SOHO routers). This allows for long-term persistence and "living off the land" at the infrastructure level.
## Mitigations
- **Active Hunting:** Large organizations should hunt for, track, and map covert networks.
- **Blocklisting:** Use threat intelligence and reporting to create and update blocklists of known compromised nodes.
- **Device Hygiene:** Follow standard cybersecurity best practices for SOHO and IoT devices (e.g., firmware updates, changing default credentials).
- **Strategic Mapping:** Tracking the evolution of botnet infrastructure to anticipate shifts in actor origin points.