Guidance issued on defending against China‍-‍nexus covert networks


Tuesday, 28 April, 2026
Guidance issued on defending against China‍-‍nexus covert networks

The Australian Cyber Security Centre (ACSC) in conjunction with numerous international partners, has announced guidance on defending against China-based covert networks of compromised devices. Its purpose is to provide network defenders with the tools needed to defend against China-nexus cyber actors and their tactic of using large-scale networks of compromised devices to route their cyber activity.

Over the past few years there has been a major shift in the tactics, techniques and procedures (TTPs) used by China-nexus cyber actors, moving away from the use of individually procured infrastructure, and towards the use of externally provisioned, large-scale networks of compromised devices.

The UK National Cyber Security Centre (NCSC) believes that the majority of China-nexus threat actors are using these networks (‘covert networks’), that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors. These networks are mainly made up of compromised Small Office Home Office (SOHO) routers, as well as Internet of Things (IoT) and smart devices.

Anyone who is a target of China-nexus cyber actors may be impacted by the use of covert networks. They have been used by Chinese state-sponsored actors Volt Typhoon to pre-position offensive cyber capabilities on critical national infrastructure. The group Flax Typhoon used a different covert network of compromised infrastructure to conduct cyber espionage.

The use of covert networks of compromised devices — also known as botnets — to facilitate malicious cyber activity is not new, but China-nexus cyber actors are now using them strategically and at scale.

The advisory describes the typical make-up of a covert network and what they are being used for. It also includes protective advice for organisations being targeted by cyber activity using a covert network as an access vector.

The full advisory can be found here.

Image credit: iStock.com/JuSun

Related News

ACSC issues High Status alert for Cisco Firepower and Secure Firewall products

A previously unknown persistence mechanism has been discovered, which is preserved across, even...

NSW Treasurer reveals cyber incident

A NSW Treasury employee has been arrested after allegedly accessing and illegally downloading...

WA Virtual Security Centre expansion to protect regional health workers

The WA Country Health Service (WACHS) has expanded its Virtual Security Centre to 60 sites after...

Content from other channels on our network

One in five aged care residents receive delayed or missed denosumab doses

Support at Home showering reclassified as 'clinical care' as part of $3bn investment

Victoria announces "massive" upgrade to one of its busiest hospitals

NSW IRC decision prompts "mixed emotions" from nurses and midwives

Surgical robot expands its scope of procedures

Vision 2040: The enduring role of TETRA in mission‑critical communications

Motorola Solutions introduces mission-centric crime centre technology

How thousands of tiny dots could save first responders' lives

Comms Connect NZ early bird registration ends soon

Richardson RFPD to distribute Ampleon RF technologies

Enterprise AI: redefining resilience in the age of AI

CrowdStrike extends agreement with Google Cloud

Dell launches latest PowerMaxOS version

ACSC issues High Status alert for Cisco Firepower and Secure Firewall products

AI adoption is accelerating, but Is cybersecurity keeping up?

  • All content Copyright © 2026 Westwick-Farrow Pty Ltd