Full Report
All the Typhoons, everywhere, all at once A majority of China-linked threat actors are using compromised routers and IoT devices worldwide, turning this gear into proxy networks to carry out further intrusions, steal sensitive data, and disrupt victim organizations’ operations, according to a joint 10-country advisory.…
Analysis Summary
# Threat Actor: China-Nexus Cyber Actors (The "Typhoons")
## Attribution & Identity
- **Primary Affiliation:** People’s Republic of China (PRC) state-sponsored actors.
- **Key Groups Named:**
- **Volt Typhoon:** A PRC-backed group noted for prepositioning for destructive attacks against critical infrastructure.
- **Flax Typhoon:** Linked to managed computer intrusion activity facilitated by corporate entities.
- **Known Associations:** Integrity Technology Group (a China-based information security company).
- **Aliases:** China-nexus cyber actors, various "Typhoon" monikers.
## Activity Summary
According to a joint 10-country advisory (April 2026), Chinese threat actors are strategically using massive global networks of compromised SOHO (Small Office/Home Office) routers and IoT devices. These "covert networks" or botnets serve as operational infrastructure to proxy malicious traffic, allowing actors to blend in with legitimate network activity, steal data, and preposition for disruptive operations. A notable example includes the "Raptor Train" botnet, which infected hundreds of thousands of devices.
## Tactics, Techniques & Procedures
- **Proxying & Obfuscation:** Using compromised global infrastructure to hide the origin of attacks and bypass geographic-based security filters.
- **Living off the Land:** Utilizing legitimate edge devices to maintain a persistent presence without deploying heavy malware.
- **Persistence:** Burrowing into critical infrastructure networks to "preposition" for future disruptive actions.
- **Exploitation of EoL (End-of-Life) Hardware:** Specifically targeting devices that no longer receive security patches.
- **Co-opting Infrastructure:** Multiple China-linked groups are known to share or simultaneously use the same covert networks.
## Targeting
- **Sectors:**
- Critical Infrastructure (energy, water, communications, etc.)
- Government and Military
- Small Office/Home Office (SOHO) as a conduit
- **Geography:** Global footprint; specific mention of the United States, UK, Australia, Canada, Germany, Japan, Netherlands, New Zealand, Spain, and Sweden.
- **Victims:** Owners of SOHO routers and IoT devices are used as "stepping stones" to reach high-value targets in government and critical industry.
## Tools & Infrastructure
- **Botnets:**
- **Raptor Train:** Managed by Integrity Technology Group; infected 200,000+ devices.
- **KV Botnet:** (Historically associated with Volt Typhoon campaigns).
- **Compromised Hardware:**
- SOHO routers (specifically end-of-life Cisco and Netgear models).
- IP/Web cameras and Digital Video Recorders (DVRs).
- Network-Attached Storage (NAS) devices.
- Firewalls.
- **Infrastructure:** Covert proxy networks designed to be ephemeral and scale rapidly.
## Implications
The shift toward large-scale, automated covert networks represents a strategic evolution in PRC cyber operations. By utilizing residential and small-business hardware, these actors make attribution difficult and traditional IP-based blocking ineffective. The focus on prepositioning within critical infrastructure suggests a move beyond traditional espionage toward preparing for potential kinetic or disruptive "flash" attacks during geopolitical conflicts.
## Mitigations
- **Network Baselines:** Map and baseline edge device traffic, specifically focusing on VPN and remote access connections.
- **Access Control:** Implement Multi-Factor Authentication (MFA) for all remote access and transition to Zero Trust security models.
- **Filtering:** Use dynamic threat feed filtering and IP allow-lists for sensitive services.
- **Device Management:** Replace end-of-life (EoL) hardware that no longer receives security updates.
- **Proactive Hunting:** Large organizations should hunt for suspicious IoT/SOHO traffic using geographic profiling and machine learning-based anomaly detection.
- **Verification:** Implement machine certificate verification for device-to-device communication.