That old router collecting dust in your closet, or the network-attached storage box you set up years ago and never updated, may be doing double duty as a spy tool. In a joint advisory published in early 2025 and reinforced by follow-up guidance circulating as recently as April 2026, cyber agencies from the United States, the United Kingdom, and 15 allied nations warned that China-linked hacking groups are hijacking ordinary consumer devices to build covert relay networks that disguise the origins of large-scale espionage campaigns.
The NSA-led advisory and a companion bulletin from the UK’s National Cyber Security Centre identify routers, firewalls, webcams, and network-attached storage units as the device categories most commonly compromised. For businesses and households alike, the message is blunt: aging, unpatched gadgets sitting on home and office networks are being quietly conscripted into attack infrastructure aimed at critical sectors.
How the covert networks work
The threat actors target what security professionals call “edge” devices, hardware that sits at the boundary between a local network and the open internet. Once compromised, a home router or a small-business firewall becomes a relay point, forwarding malicious traffic through what looks like a legitimate residential or commercial IP address. Defenders tracing an intrusion see traffic arriving from a suburb in Ohio or a small office in London, not from a server tied to a known threat group.
That camouflage is the whole point. By routing operations through thousands of compromised consumer devices and discarding each one after brief use, the attackers create what the NCSC calls “IOC extinction.” Traditional indicators of compromise, the digital fingerprints security teams share to detect known threats, become obsolete almost as fast as they are published. The churn rate outpaces the intelligence-sharing mechanisms that allied governments and private-sector defenders depend on.
The result is low-cost, deniable infrastructure that scales easily. Billions of consumer-grade devices ship worldwide each year, many with default credentials and limited vendor support. China-linked operators appear to be exploiting that global gap between device proliferation and long-term maintenance, turning forgotten hardware into shadow infrastructure that is cheap, disposable, and difficult to attribute.
Enforcement actions that confirm the pattern
The advisory did not arrive in a vacuum. In January 2024, the Department of Justice announced a court-authorized operation to disrupt the KV Botnet, deleting malware from compromised routers and severing their connections to a command-and-control network. The vast majority of devices in that botnet were end-of-life Cisco and NetGear routers, hardware that no longer receives security patches. A federal judge reviewed the FBI’s probable cause before authorizing the takedown, lending the technical claims a higher evidentiary threshold than a policy statement alone.
Months later, in January 2025, the U.S. Treasury sanctioned Integrity Technology Group, a China-based company linked to the threat cluster known as Flax Typhoon. Active since at least 2021 according to government assessments, Flax Typhoon has targeted critical infrastructure sectors with a focus on long-term access and reconnaissance rather than quick-hit criminal theft. Treasury’s designation tied the company to operational support for cyber units that sustain persistent footholds inside sensitive networks.
Taken together, the advisory, the botnet disruption, and the sanctions package reveal a consistent strategy: instead of relying solely on bespoke servers, China-linked operators are systematically abusing widely distributed devices that owners often forget about once they are plugged in.
What remains unclear
Significant gaps in the public record limit how fully defenders can act. The joint guidance does not publish granular technical indicators for the specific covert networks it describes. The NCSC’s own framing of IOC extinction partly explains why: by the time indicators are shared, the attackers may have already rotated to a fresh pool of compromised devices.
The scale of Flax Typhoon’s operations also lacks precise public measurement. Treasury confirmed activity against critical infrastructure but did not specify the number of targeted entities or the full geographic spread of victims. No subsequent public filings have assessed whether the KV Botnet reconstituted itself after the FBI’s takedown or whether its operators simply shifted to replacement infrastructure.
International coordination beyond the advisory is similarly opaque. While 15 partner nations are listed, no primary source details enforcement actions, arrests, or device-seizure operations conducted outside the United States. Whether allied governments have taken parallel legal steps or are relying solely on defensive advisories remains unconfirmed. China, for its part, has consistently denied conducting state-sponsored cyberattacks, calling such accusations politically motivated.
Another open question concerns device manufacturers. The advisory clearly identifies end-of-life equipment as a systemic weakness, but there is little public evidence that vendors face regulatory or market pressure to extend support lifecycles or ship more secure default configurations. Without changes on the supply side, defenders are left treating symptoms.
What organizations and home users should do now
The practical guidance from the agencies is concrete, and it applies to anyone who owns a router, firewall, or network-attached storage device. End-of-life hardware that no longer receives firmware updates is a documented attack surface. The KV Botnet case proved that outdated routers served as the backbone of a state-linked espionage network.
First, check whether your devices still receive security patches from their manufacturers. If they do not, replace them. Second, disable remote management features you are not actively using; these are the entry points attackers exploit most often. Third, change default credentials on every device connected to your network. Fourth, monitor outbound traffic for unusual relay patterns, a sign that a device may be forwarding traffic it should not be.
For IT teams managing larger networks, the NCSC’s emphasis on IOC extinction carries a specific lesson: static blocklists alone are no longer sufficient. Behavioral detection, spotting anomalous traffic patterns rather than scanning for known-bad addresses, needs to take priority.
The broader tension this advisory exposes is structural and unlikely to resolve quickly. As long as consumer devices ship with weak defaults, receive limited support, and sit unmonitored on millions of networks, they will remain attractive to state-linked operators looking for cheap, disposable cover. The agencies have laid out the threat in unusually direct terms. Whether manufacturers, regulators, and device owners respond with matching urgency will determine how long these covert networks continue to thrive.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
