China hackers target gadgets for secrets theft

Source: ft.com

TL;DR

The story at a glance

The Financial Times article covers a joint advisory from the UK's NCSC and 14 other agencies warning that China-nexus cyber actors have shifted to using large covert networks of compromised consumer devices for espionage and attacks. These networks, built from SOHO routers, IoT gadgets like web cameras, and smart devices, disguise attack origins and support groups such as Volt Typhoon and Flax Typhoon. The report comes now amid rising concerns over Chinese cyber sophistication, following examples like the Raptor Train botnet. Agencies including CISA, FBI, and NSA issued it on April 23, 2026.[[1]](https://www.ic3.gov/CSA/2026/260423.pdf)

Key points

Details and context

The advisory details a tactical shift by most China-nexus actors from rented servers to these dynamic botnets, which refresh as devices get patched, evading static IP blocks. Devices are exploited via unpatched vulnerabilities, often end-of-life models, turning household or small office gear into proxies for attacks on unrelated targets like firms or infrastructure.[[1]](https://www.ic3.gov/CSA/2026/260423.pdf)

Volt Typhoon has used them to preposition on US critical infrastructure such as energy and transport; Flax Typhoon for broad espionage against governments and companies worldwide. Networks lower costs and risks while enabling scale—Raptor Train alone spanned global endpoints.[[1]](https://www.ic3.gov/CSA/2026/260423.pdf)

Defenses focus on baselining traffic, IP/geographic allow-lists for VPNs, zero trust, and hunting for consumer broadband connections to corporate systems. Smaller firms get basic NCSC toolkits; high-risk ones track these as APTs.[[1]](https://www.ic3.gov/CSA/2026/260423.pdf)

Key quotes

“Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyberattacks.” — Paul Chichester, NCSC director of operations.[[3]](https://www.washingtontimes.com/news/2026/apr/23/security-agencies-say-chinese-hackers-using-hijacked-networks-large)

“We face more than just a capable cyber-threat but a peer competitor in cyberspace.” — Richard Horne, NCSC chief executive.[[2]](https://www.theguardian.com/technology/2026/apr/23/china-cyber-hacker-using-everyday-devices-hack-uk-firms)

Why it matters

China-nexus actors' scale and sophistication in cyber operations challenge western defenses, enabling espionage and potential sabotage on critical infrastructure amid geopolitical tensions. Companies and governments face higher risks from unpatched consumer devices unwittingly aiding attacks on their networks, complicating attribution and response. Watch for network updates, new botnet takedowns, or escalated use in crises, though dynamic tactics may limit lasting disruptions.[[1]](https://www.ic3.gov/CSA/2026/260423.pdf)

What changed

Individual infrastructure procurement shifted to large-scale covert networks of compromised devices by most China-nexus actors. Now networks of SOHO routers and IoT are standard for deniable espionage and pre-positioning. Observed over recent years, detailed in April 23, 2026 advisory.[[1]](https://www.ic3.gov/CSA/2026/260423.pdf)

FAQ

Q: What devices do China-nexus hackers mainly compromise for covert networks?

A: Primarily small office home office (SOHO) routers, plus internet of things (IoT) and smart devices like web cameras, video recorders, printers, firewalls, and network attached storage (NAS). These are often vulnerable due to lacking security patches. Examples include Cisco and NetGear routers in the KV Botnet.[[1]](https://www.ic3.gov/CSA/2026/260423.pdf)

Q: Which groups use these covert networks according to the advisory?

A: State-sponsored Volt Typhoon for pre-positioning on critical infrastructure, and Flax Typhoon for espionage; networks like Raptor Train are linked to the latter via Chinese firm Integrity Technology Group. Multiple actors share them.[[1]](https://www.ic3.gov/CSA/2026/260423.pdf)

Q: How do these networks hide attacks?

A: Traffic routes through entry, traversal, and exit nodes across compromised devices worldwide, disguising origins like a multi-hop proxy. They support all cyber kill chain phases while being low-cost and dynamic.[[1]](https://www.ic3.gov/CSA/2026/260423.pdf)

Q: What defenses does the joint advisory recommend?

A: Map edge devices and baseline traffic; use IP allow-lists, multi-factor authentication, zero trust; leverage dynamic threat feeds; high-risk entities hunt for consumer IP connections and track networks as APTs.[[1]](https://www.ic3.gov/CSA/2026/260423.pdf)