China-Linked Cyber Actors Strengthen Operations with Massive Covert Botnets to Evade Detection

A recent cybersecurity advisory has unveiled a significant evolution in the tactics, techniques, and procedures (TTPs) employed by China-linked threat actors. This report, developed in collaboration with the UK Cyber League and the National Cyber Security Centre (NCSC-UK), along with international partners, emphasizes how these actors are increasingly relying on extensive covert networks of compromised devices to execute malicious cyber operations.

A Strategic Shift in China-Nexus TTPs

In recent years, cybersecurity analysts have noted a distinct shift in the operational methods of China-linked cyber actors. Instead of relying on dedicated infrastructure that is individually controlled, these actors are now utilizing vast networks of compromised devices, commonly referred to as covert networks or botnets. These networks predominantly consist of Small Office/Home Office (SOHO) routers, Internet of Things (IoT) devices, and other internet-connected hardware.

The advisory indicates that a majority of China-linked actors are believed to be leveraging such covert networks, with multiple networks often operating simultaneously and shared among various groups. The continuous updating of these networks enhances their adaptability, making them challenging to track.

Organizations across various sectors are at risk of being targeted by these actors. For instance, the group known as Volt Typhoon has employed these covert networks to strategically position cyber capabilities within critical infrastructure, while Flax Typhoon has utilized similar tactics for espionage activities.

How Covert Networks Operate

While botnets are not a new phenomenon, the scale and strategic deployment of these networks by China-linked actors have reached unprecedented levels. These covert networks enable attackers to conceal their identities, route malicious traffic through numerous nodes, and significantly reduce the risk of attribution.

Typically, an attacker gains access to the network through an entry point, or “on-ramp,” and routes their activities through multiple compromised devices—referred to as traversal nodes—before exiting near the intended target. This multi-hop strategy effectively obscures the origin of the attack.

These networks facilitate every phase of a cyber operation, from reconnaissance and scanning to malware delivery, command-and-control communication, and data exfiltration. They are also employed for general browsing, allowing threat actors to investigate vulnerabilities and refine their TTPs without exposing their identities. The presence of legitimate users on some networks further complicates attribution efforts.

Real-World Examples and Scale

Evidence suggests that certain covert networks utilized by China-linked actors are developed and maintained by Chinese cybersecurity firms. A notable example is the “Raptor Train” network, which infected over 200,000 devices globally in 2024. This network was reportedly managed by Integrity Technology Group, a company also linked by the FBI to activities associated with Flax Typhoon.

Another significant instance includes the KV Botnet, which was used by Volt Typhoon and primarily exploited outdated Cisco and NetGear routers. These devices were particularly vulnerable due to their “end-of-life” status, meaning they no longer received essential security updates.

The scale and adaptability of these networks pose a considerable challenge. Paul Chichester, NCSC Director of Operations, remarked that “botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyberattacks.”

Challenges for Network Defenders

Cybersecurity researchers have long recognized the threats posed by these actors, but the evolving nature of China-linked TTPs introduces new complexities. A critical issue identified by Mandiant Intelligence in May 2024 is “indicator of compromise (IOC) extinction.” Traditional defenses, such as static IP blocklists, are becoming increasingly ineffective as attackers can operate from vast, constantly changing pools of devices.

As compromised nodes are patched or removed, new ones are rapidly added, rendering these networks highly dynamic. This fluidity undermines conventional detection and mitigation strategies.

Defensive Measures and Best Practices

The advisory outlines several steps organizations can take to defend against China-linked covert networks:

For All Organizations:

• Maintain a clear inventory of network edge devices.
• Establish baselines for normal network activity, particularly regarding VPN access.
• Monitor for unusual connections, including those from consumer broadband ranges.

For Higher-Risk Organizations:

• Use IP allow lists instead of blocklists for VPN access.
• Apply geographic and behavioral profiling of incoming connections.
• Adopt zero-trust security models.
• Enforce SSL machine certificates.
• Reduce exposure of internet-facing systems.
• Explore machine learning tools to detect anomalies.

For the Most At-Risk Entities:

• Treat China-linked covert networks as advanced persistent threats (APTs).
• Map and monitor known covert networks using threat intelligence.

This advisory serves as a crucial reminder of the evolving landscape of cyber threats and the need for organizations to adapt their defenses accordingly.

Source: thecyberexpress.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.