Full Report
Global cybersecurity agencies sounded the alarm on Chinese government-linked hackers quietly building and maintaining hidden networks of hijacked... The post Cybersecurity agencies flags use of covert networks by China-linked actors for espionage, offensive operations appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: China-Nexus Covert Networks (Integrity Technology Group)
## Attribution & Identity
* **Actor Identification:** Chinese government-linked/state-sponsored threat actors.
* **Associated Groups:** Various China-nexus clusters (referred to collectively as sharing infrastructure).
* **Known Associations:** Specifically linked to the **Integrity Technology Group**, a Chinese information security company assessed by the FBI as being responsible for controlling major botnet infrastructure.
## Activity Summary
The advisory details the transition of Chinese state-sponsored actors from using individually procured infrastructure to operating large-scale "covert networks." These networks consist of thousands of hijacked consumer devices used to mask malicious activity. A primary example cited is the discovery and disruption of a massive botnet that infected hundreds of thousands of devices globally to facilitate espionage and offensive cyber operations.
## Tactics, Techniques & Procedures
* **Use of Proxy Networks:** Building and maintaining large-scale botnets to obfuscate the origin of attacks.
* **Living off the Land (Edge Devices):** Operating within the legitimate traffic of compromised SOHO and IoT devices.
* **Multi-Stage Lifecycle Support:** Utilizing covert networks for every phase of the Cyber Kill Chain, including:
* Reconnaissance and anonymous research.
* Malware delivery.
* Command and Control (C2) relaying.
* Data exfiltration.
* **Dynamic Infrastructure:** Rapidly re-shaping networks to bypass static IP blocklists.
* **Shared Infrastructure:** Multiple distinct threat actor groups often utilize the same covert network simultaneously.
## Targeting
* **Sectors:** Critical infrastructure, government agencies, and organizations targeted for espionage.
* **Geography:** Global (Worldwide). Mention of specific interest in the UK, USA, Australia, Canada, Germany, Japan, Netherlands, New Zealand, Spain, and Sweden.
* **Victims:** Small Office/Home Office (SOHO) users, IoT device owners, and smart device users (used as "hops"); targets are primarily high-value espionage victims.
## Tools & Infrastructure
* **Botnets:**
* **Raptor Train:** A major network that infected over 200,000 devices worldwide in 2024.
* **Compromised Devices:**
* SOHO routers.
* Internet of Things (IoT) devices.
* Smart home/business devices.
* Unprotected edge devices.
* **Infrastructure Management:** Managed through Chinese private-sector "information security" companies acting as proxies for the state.
## Implications
* **Attribution Challenges:** By mixing malicious traffic with legitimate residential/business traffic, actors make forensic attribution significantly more difficult.
* **Operational Resilience:** The low cost and deniable nature of these networks allow actors to regenerate infrastructure quickly if individual nodes are discovered.
* **Strategic Threat:** These networks provide a persistent, scalable platform for long-term espionage and the potential pre-positioning of offensive cyber capabilities against critical infrastructure.
## Mitigations
* **Patching & Updates:** Prioritize patching SOHO and IoT devices to prevent initial compromise.
* **Secure-by-Design:** Manufacturers are urged to eliminate default credentials and build more secure device architectures.
* **Endpoint Monitoring:** Increased visibility into edge device logs to detect unusual traffic patterns.
* **Behavioral Analysis:** Moving beyond static IP blocklists toward identifying anomalous behavior consistent with proxy relay activity.
* **Device Lifecycle Management:** Replacing end-of-life (EoL) equipment that no longer receives security updates.