NCSC-UK and allied agencies warn that China-nexus threat actors are increasingly leveraging covert botnets made of compromised SOHO routers, IoT, and smart devices to conduct reconnaissance, deliver malware, and exfiltrate data against U.S. organizations. The advisory attributes many of these dynamic, shared networks to China-linked firms and notes groups such as Flax Typhoon and Volt Typhoon use them, complicating attribution and prompting recommendations for edge-device inventories, zero-trust, and active threat hunting. #FlaxTyphoon #VoltTyphoon
Keypoints
- NCSC-UK and international partners warn China-nexus actors are using covert botnets of SOHO routers and IoT devices to target U.S. organizations.
- Evidence suggests China-linked companies are creating and maintaining these botnets, which are then used by groups like Flax Typhoon and Volt Typhoon.
- The botnets are dynamic and shared among multiple actors, making static IP blocks and attribution ineffective.
- Attackers exploit common SOHO weaknesses—default credentials, infrequent patching, and no centralized management—to scale their infrastructure.
- Agencies recommend mapping edge devices, baselining connections, implementing zero-trust and geographic IP controls, and conducting threat hunting.
Read More: https://www.darkreading.com/cyber-risk/china-hackers-industrializing-botnets