Here is the report, Defending against China-nexus covert networks of compromised devices (pdf).
A majority of China-linked threat actors are using compromised routers and IoT devices worldwide, turning this gear into proxy networks to carry out further intrusions, steal sensitive data, and disrupt victim organizations’ operations, according to a joint 10-country advisory.
“Anyone who is a target of China-nexus cyber actors may be impacted by the use of covert networks,” the security advisory warned. It was jointly released by the UK National Cyber Security Centre (NCSC) and 15 other government agencies from the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden.
“The use of covert networks of compromised devices - also known as botnets - to facilitate malicious cyber activity is not new, but China-nexus cyber actors are now using them strategically, and at scale,” according to the alert.
Some of these covert networks are created and maintained by Chinese information security companies, the advisory says. For example, China’s Integrity Technology Group controlled and managed the so-called Raptor Train network, which in 2024 infected more than 200,000 devices worldwide, including small office home office (SOHO) routers, internet-connected web cameras and video recorders, plus firewalls and network-attached storage (NAS) devices.
…
I would guess a ton of this is exploiting vulnerable cloud-connected IoT devices that manufacturers don’t actually support with updates and if they did, users wouldn’t install them.
The embedded MCU firmware scene is only recently started taking security seriously at a larger scale. It was always an afterthought before I hear.
