Defending Against China-Nexus Covert Networks of Compromised Devices
China-nexus cyber actors are increasingly using large-scale networks of compromised devices, known as covert networks, to mask their malicious activities. This shift in tactics, techniques, and procedures (TTPs) moves away from individually procured infrastructure. These covert networks are primarily composed of compromised Small Office Home Office (SOHO) routers, Internet of Things (IoT) devices, and smart devices. Such networks allow actors to conduct cyber operations with low cost, low risk, and deniability, making attribution difficult. They are utilized across all phases of the cyber kill chain, from reconnaissance to malware delivery and data exfiltration. Evidence suggests that Chinese information security companies create and maintain these covert networks. For example, the Raptor Train network, infecting over 200,000 devices, was managed by Integrity Technology Group. The KV Botnet, used by Volt Typhoon, consisted mainly of vulnerable end-of-life routers. Old defense paradigms relying on static IP blocklists are becoming less effective due to the dynamic and distributed nature of these botnets. Defenders must adapt by mapping network edge devices, baselining normal connections, and leveraging threat intelligence. Implementing multi-factor authentication and employing IP address or geographic allow lists are crucial protective measures. Larger or more at-risk organizations can further enhance security through zero trust policies and reducing their internet-facing IT estate. Active hunting and tracking of these covert networks as distinct threats are recommended for the most targeted entities. Comprehensive cybersecurity best practices remain fundamental in defending against these evolving threats.