Security agencies say Chinese hackers using hijacked networks for large-scale cyberattacks
by Bill Gertz · The Washington TimesChinese hacking groups linked to large-scale cyberattacks and intrusions of critical infrastructure are using covert computer networks for their operations, according to a British government security report made public Thursday.
The report by the London-based National Cybersecurity Centre provides new details on how Chinese cyberactors recently shifted from using home-grown cybersystems to a new method of masking espionage and infrastructure penetrations by using networks of compromised computer devices.
The British report is the latest indicator that U.S. and international efforts to counter widespread Chinese hacking operations have been ineffective - despite numerous reports and public information identifying groups and activities mainly linked to Beijing.
Cyber counterspies believe the majority of China-linked hackers are using multiple “covert networks,” also called botnets, that are frequently updated shared by multiple groups, the report said.
“Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyberattacks,” said Paul Chichester, director of operations at the government center.
L.J. Eads, a strategic intelligence analyst at the research firm Data Abyss, said the report reveals a deliberate strategy by the Chinese Communist Party of seeking to embed within the digital infrastructure of its adversaries.
“This advisory also underscores a clear shift from traditional cyber espionage to pre-positioning for disruptive operations,” Mr. Eads said.
“What we’re seeing … is consistent with the Pentagon’s evolving offensive cyber doctrine: shaping the battlespace in advance, holding critical infrastructure at risk, and enabling offensive cyber options that can be activated in a crisis,” he added.
Advertisement Advertisement
The change in tactics has been identified over the past several years, and while not new is aiding extensive malicious cyber activity, with Chinese actors “now using them strategically, and at scale,” the report said.
“These networks are mainly made up of compromised Small Office Home Office (SOHO) routers, as well as Internet of Things (IoT) and smart devices,” states the report published jointly by 15 allied intelligence and security services in Asia and Europe, including the National Security Agency and FBI.
“Anyone who is a target of China-nexus cyber actors may be impacted by the use of covert networks,” the report stated.
Chinese hacker groups have been identified by U.S. government investigators as conducting large-scale intrusions of both government and private sector networks in the United States and around the world.
The report identifies two Chinese hacker groups linked to the Beijing government using the covert networks for their attacks, Volt Typhoon and Flax Typhoon, and one botnet called Raptor Rain by security companies.
Advertisement Advertisement
Botnets “have been used by Chinese state-sponsored actors Volt Typhoon to pre-position offensive cyber capabilities on critical national infrastructure,” the report said.
U.S. officials have described activity by Volt Typhoon as among the most strategically significant Chinese hacking groups. It has been linked to plants of malicious openings or software in infrastructure that can be used for sabotage of communications, energy, water, and transportation systems in a future crisis, such as conflict over Taiwan.
Its activities have been linked to the People’s Liberation Army Cyberspace Force.
A second Chinese group, Flax Typhoon, operated from a separate covert network of compromised infrastructure in conducting large-scale cyber espionage, the report said.
Advertisement Advertisement
Flax Typhoon has been linked by U.S. cyber counterspies to operations against Taiwan through hacking of government agencies, critical manufacturers, and information-technology firms. It has also compromised networks at universities, corporations, media organizations, and government entities in the United States, Europe, Africa and elsewhere.
The covert networks are described in the report as a low-cost, low-risk method of connecting through the internet in a deniable way that disguises the origin.
Hackers used the networks for every phase of attack planning, what the report calls “cyber kill chains.” Those phases include network scans for reconnaissance, delivering malware, communicating with that malware, and exfiltrating data from victims.
The networks also are used for covert internet browsing allowing hackers to research targets, develop new tactics and procedures.
Advertisement Advertisement
Some of the networks also are used by legitimate Chinese customers for internet browsing, a feature that makes it more difficult for intelligence agencies to link the activity to malicious actors, the report said.
Evidence obtained by security agencies has identified covert networks maintained by Chinese information security companies.
The FBI has stated that Flax Typhoon is tied to Beijing-based Integrity Technology Group, a cybersecurity contractor sanctioned by the U.S. Treasury in January 2025.
Integrity is among several ostensibly private Chinese security companies sanctioned for their role in cyberattacks.
Advertisement Advertisement
Among the other Beijing-linked firms that have been hit with U.S. sanctions are the Wuhan Xiaoruishi Science and Technology Co., Sichuan Silence, and Integrity Technology Group, that often act as front groups of the Ministry of State Security, the civilian spy agency.
The NSA has identified the Sichuan Juxinhe Network Technology Co. Ltd. & Beijing Huanyu Tianqiong Information Technology Co. Ltd. as government contract agents for China’s Salt Typhoon cyber operations.
The Guangzhou Bo Yu Information Technology Co., known as Boyusec, has been connected by U.S. officials to Huawei Technologies, a major telecommunications firm, for intelligence work.
Several Boyusec employees have been indicted for U.S. cyberattacks.
The networks that the hackers use are mainly compromised home routers but can also add any device that has been hacked and taken over.
Chinese hackers set up Raptor Train from thousands of compromised home routers and internet-of-things devices, such as web cameras and video recorders, as well as firewalls and network storage devices.
Another covert network, known as the KV Botnet and used by Volt Typhoon hackers, was made up mostly of hacked Cisco and NetGear routers.
Many of the compromised devices were used because they were out of date and no longer receiving updates or security patches from their manufacturers.
Raptor Train was used in 2024 by Flax Typhoon hackers that infected more than 200,000 devices worldwide. The botnet was controlled by the Chinese company called Integrity Technology Group and linked by the FBI to a launchpad for Flax Typhoon.
In addition to Britain and the U.S., security and intelligence services from Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden jointly released the report, posted online by the Cybersecurity and Infrastructure Security Agency.
The report urges all computer network operators to counter the botnets by mapping devices and their connections and use virtual private networks (VPNs) or other similar services.
Multi-factor authentication is also recommended, and cybersecurity officials are urged to use machine learning tools to detect and block anomalies.
• Bill Gertz can be reached at bgertz@washingtontimes.com.