This advisory details a significant tactical shift by China-nexus cyber actors toward using large-scale networks of compromised devices, known as covert networks or botnets, to route malicious activity. These networks primarily consist of vulnerable Small Office Home Office (SOHO) routers and Internet of Things (IoT) devices, allowing threat actors to disguise their origins and conduct reconnaissance, malware delivery, and data exfiltration with high deniability.
Key points include:
- The transition from individually procured infrastructure to externally provisioned botnets managed by Chinese information security companies.
- Use of compromised edge devices like Cisco and NetGear routers that are often end-of-life or unpatched.
- Challenges for defenders due to indicator of compromise (IOC) extinction, making static IP block lists less effective.
- Recommended defensive strategies ranging from basic asset mapping and multi-factor authentication to advanced zero trust policies and active threat hunting.
Key points include:
- The transition from individually procured infrastructure to externally provisioned botnets managed by Chinese information security companies.
- Use of compromised edge devices like Cisco and NetGear routers that are often end-of-life or unpatched.
- Challenges for defenders due to indicator of compromise (IOC) extinction, making static IP block lists less effective.
- Recommended defensive strategies ranging from basic asset mapping and multi-factor authentication to advanced zero trust policies and active threat hunting.
