Western countries’ network security agencies jointly issued a security alert on Thursday (April 23) warning of large-scale exploitation by Chinese hackers using household WiFi routers, smart home devices, and other everyday connected devices to establish a covert network to conceal their malicious cyber activities, urging countries to strengthen their defenses against this.
According to Reuters, the United Kingdom’s National Cyber Security Centre (NCSC), along with 15 international partner organizations from the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, and Spain, jointly released an urgent network security alert on Thursday, warning that there have been significant tactical shifts in tactics by Chinese-linked hacker groups.
Paul Chichester, the Director of Operations at the UK’s National Cyber Security Centre, stated in a press release, “In recent years, we have observed Chinese (Communist) cyber attack groups deliberately turning to use these networks in an attempt to hide their malicious activities and evade accountability.”
The alert mentioned that the operation principle of such “covert networks” or “botnets” involves routing malicious traffic through thousands to hundreds of thousands of compromised home devices globally to mask the source of the attacks. Among the most hijacked devices are household WiFi routers, printers, and network cameras which are vulnerable to infiltration.
A “botnet” is a network made up of a large number of internet-connected devices (such as computers, mobile phones, routers, IoT devices) infected with malicious software and controlled remotely. Each infected device in the network is referred to as a “zombie” or “bot,” and the hackers controlling these devices are known as “bot herders.”
Security officials explained that a regular household’s WiFi router could unknowingly be used as a relay channel for attacking a major corporation.
The international network security agencies pointed out in the alert that most Chinese-linked threat actors are using these networks, and several covert networks have been established and constantly updated, with a single network potentially being used by multiple actors simultaneously. In one case, a Chinese private company infected over 200,000 devices globally to create a massive “covert network.”
The state-supported Chinese network attack organization known as “Volt Typhoon” has been identified as a major user of such “covert networks” and has quietly infiltrated critical infrastructure in the United States, including railways, aviation, and water systems.
Another hacker group, “Flax Typhoon,” utilizes a similar network to conduct espionage activities.
Noteworthy cyber attack cases also include the “Raptor Train” botnet, which reportedly infected over 200,000 internet-connected devices globally, with investigators tracing it back to a Chinese technology company.
In 2026, Google also announced the successful dismantling of a “residential proxy” network. Previously, cybercrime groups and state actors had launched cyber attacks using this method.
The alert also warned that such attacks are typically difficult to detect and prosecute, as relevant evidence may vanish rapidly. Traditional methods of blocking known malicious IP addresses are becoming increasingly ineffective, as attackers can swiftly rotate between thousands of infected devices, rendering any single IP address almost immediately not useful for protecting network security.
In the joint announcement, network experts proposed specific defense recommendations for organizations facing different levels of risk.
For businesses and institutions facing general risks, it is advised to maintain a detailed inventory of connected devices, monitor their normal traffic and patterns, and implement multi-factor authentication (MFA) for employees accessing the network remotely.
Organizations facing high risks should restrict external access permissions, adopt a zero-trust framework where all connections require verification, and minimize system exposure to the external environment.
For operators of critical infrastructure facing nation-state threats, proactive monitoring of suspicious traffic from household smart devices and the use of machine learning technology to detect anomalies early are essential.
The day before this announcement, Richard Horne, Director of the UK’s National Cyber Security Centre, warned at an annual conference in Glasgow that Chinese intelligence and military entities possess “astoundingly high levels of sophistication and complexity” in their cyber operations.
He also revealed that the UK deals with approximately four nationally significant network incidents every week on average, with the most impactful cyber attacks increasingly related to state regimes rather than purely criminal groups.