In the latest warning about the cybersecurity threat posed by China, U.S. officials are advising cyber defenders on how to combat what they call a major shift in tactics by Beijing-affiliated groups.

An April 23 cybersecurity advisory from the Cybersecurity and Infrastructure Security Agency (CISA) said that China-linked groups are “moving away from the use of individually procured infrastructure, and towards the use of externally provisioned, large-scale networks of compromised devices.”

“Over the past few years there has been a major shift in the tactics, techniques and procedures (TTPs) used by China-nexus cyber actors,” said the advisory, also issued by the FBI, the National Security Agency (NSA), and international partners, including the United Kingdom’s National Cyber Security Centre (NCSC-UK).

“The NCSC believes that the majority of China-nexus threat actors are using these (covert) networks, that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors,” the advisory said. It added that the covert networks mainly consist of compromised home office routers, along with Internet of Things (IoT) and smart devices.

“This advisory informs organizations of how these actors are strategically using numerous, evolving covert networks at scale for malicious cyber activity,” CISA acting Director Nick Andersen said. “CISA strongly encourages organizations to review and implement appropriate mitigation measures to defend their devices from this threat.”

The advisory follows numerous warnings about Chinese cyber activities in recent years. The U.S. intelligence community’s Annual Threat Assessment in March 2025 said China poses the biggest cyber threat to the United States, while FBI officials have said China has stolen more personal and corporate data from the United States than all other nations combined.

In January, senior Pentagon officials told lawmakers that Chinese-linked cyber actors, including a group known as Volt Typhoon, have recently infiltrated U.S. networks using a tactic known as “living off the land.”

Volt Typhoon is among the Chinese state-sponsored actors cited in the CISA advisory. It said Volt Typhoon has used covert networks “to pre-position offensive cyber capabilities on critical national infrastructure. A different group, Flax Typhoon, has used a different covert network  of compromised infrastructure to conduct cyber espionage, the advisory said.

CISA described covert networks as being used “to connect across the internet in a low-cost, low-risk, deniable way, disguising the origin and attribution of malicious activity.” Some people also legitimately use such networks to browse the internet, making it challenging to spot malicious activity, the advisory said.

Authorities have gathered evidence, CISA said, that Chinese information security companies have created and maintained covert networks used by China-nexus actors.

To strengthen cyber defenses, CISA and other agencies advise organizations to:

  • Map and understand network edge devices, to understand organizational assets and what should be connected to them;
  • Baseline normal connections, especially to corporate VPNs or other similar services;
  • Maintain log collection and storage to help detect and respond to attempts at unauthorized access; and
  • Implement multi-factor authentication for remote connections.
Read More About
Civilian Agencies
Homeland Security
CISA
Recent
More Topics

Categories

About
Jerry Markon
Jerry Markon is a freelance technology reporter for MeriTalk. Previously, he reported for The Washington Post and The Wall Street Journal.
Tags