Cyber Security Blog

NCSC: China-nexus attackers are hiding in plain sight — here's what your remote access strategy needs to do about it

Written by Craig Pepper | May 1, 2026 2:30:00 PM

On 23 April 2026, the UK's National Cyber Security Centre, supported by the UK Cyber League and 15 international partners, including the US's CISA, FBI and NSA, Germany's BSI and BfV, Australia's ACSC, Canada's Cyber Centre, the Netherlands' AIVD and MIVD, Japan's NCO, New Zealand's NCSC, Spain's CCN and Sweden's NCSC-SE, released a joint advisory describing a major shift in how China-nexus cyber actors operate.

The advisory was launched on Day Two of CYBERUK 2026, and the unusually broad co-sealing list is a signal in its own right: this is a tactic that allied agencies are seeing across every major Western economy, and they want defenders thinking about it now rather than later.

Rather than provisioning their own attack infrastructure (which is expensive, attributable and easy for defenders to take down), the majority of China-nexus threat actors are now routing operations through "covert networks" large, constantly-refreshed botnets built from compromised small-office/home-office (SOHO) routers, IoT devices, smart cameras, firewalls, network-attached storage and other end-of-life edge kit.

The advisory is explicit that there is evidence these networks are being created and maintained by Chinese information security companies. The Raptor Train network, which infected more than 200,000 devices worldwide, was operated by Integrity Technology Group, a company the FBI has assessed to be responsible for the intrusion activity attributed to Flax Typhoon. The KV Botnet used by Volt Typhoon to pre-position offensive cyber capability on US critical national infrastructure was built mostly from vulnerable Cisco and NetGear routers that had reached end-of-life and were no longer receiving security updates.

In short: this is industrialised, deniable infrastructure-as-a-service for state-aligned threat actors.

Why this matters for your defences

The advisory flags a critical defender problem: IOC extinction. Because nodes in these networks rotate constantly, get patched, drop offline, and are shared across multiple threat groups, the indicators-of-compromise model that underpins most static blocklists no longer holds up. By the time a malicious IP is published in a threat report, it may already have been retired, replaced or recycled into another campaign.

There are two further wrinkles defenders need to understand:

  1. Geographic camouflage. Covert networks typically egress traffic from a node in the same region as the target — so a malicious connection arrives from what looks like a residential broadband line in your own country. Country-level geo-blocking won't catch it.
  2. Mixed legitimate use. Some covert networks are also used by paying customers as ordinary anonymising proxies, which makes attribution and clean-cut blocking harder still.

The advisory uses the MITRE ATT&CK framework to characterise the activity (T1584.005 Compromise Infrastructure: Botnet, T1584.008 Compromise Infrastructure: Network Devices, T1583.003 Acquire Infrastructure: Virtual Private Server and T1090.003 Multi-hop Proxy) — useful if you want to map your detections against it.

What the NCSC recommends

The advisory is tiered, with measures scaled to organisation size and risk.

For every organisation:

  • Map your edge devices and understand what should be talking to them.
  • Baseline normal VPN and remote-access connections, and ask whether you'd really expect traffic from consumer broadband ranges.
  • Enforce multi-factor authentication for every remote connection.
  • Subscribe to dynamic threat feeds that include covert-network indicators.
  • Smaller organisations can build a free action plan via the NCSC's Cyber Action Toolkit.

For larger or higher-risk organisations:

  • Apply IP allow lists (not deny lists) for VPN connections.
  • Profile incoming connections by geography, time zone, operating system or organisation-specific configuration.
  • Implement zero-trust policies for remote connections.
  • Enforce machine certificates for SSL connections.
  • Reduce the internet-facing footprint of your IT estate.
  • Use ML-driven anomaly detection on edge traffic.

For the most exposed organisations:

  • Track covert networks as APTs in their own right.
  • Actively hunt for connections from IP ranges hosting SOHO routers and IoT devices.
  • Map covert-network topology using banners, certificates and NetFlow data.
  • Build dynamic blocklists and alert rules from threat feeds rather than static lists.

The underlying message

If your remote-access strategy still relies primarily on static IP blocklists and a "we'll spot the bad guys by their address" assumption, this advisory is a clear signal that the model has run out of road. The defensive shift is from known-bad to known-good allow-list thinking, behavioural baselining and zero-trust controls.

How Periculo can help

If your team is digesting this advisory and wondering where you stand, we can help. We're currently working with clients on edge-traffic baselines, remote-access reviews, zero-trust roadmaps, and Cyber Essentials and IASME alignment that map directly to the NCSC's recommendations.

A 30-minute call is usually enough to identify your top three priorities against this guidance. Get in touch for a short, no-obligation conversation.

Read the full advisory: Defending against China-nexus covert networks of compromised devices — NCSC
View full post