CISA's Advisory: Defend Against Chinese Covert Cyber Threats

04/23/2026 10:00 AM EDT

CISA and the United Kingdom’s National Cyber Security Centre, in collaboration with other federal and international partners, have released a cybersecurity advisory, Defending Against China-nexus Covert Networks of Compromised Devices, providing network defenders with vital tools and resources to combat the threat posed by Chinese government-linked threat actors’ use of covert networks of compromised devices.

The advisory outlines tactics, techniques, and procedures associated with Chinese government-linked covert networks built from compromised small-office-home-office routers, Internet of Things, and smart devices. It explains how threat actors leveraging these covert networks, including those previously tied to groups such as Volt Typhoon and Flax Typhoon, use large scale botnet infrastructure to obscure attribution and enable reconnaissance, intrusion, command-and-control, and data exfiltration.

The advisory provides tailored defensive guidance for cyber defenders to identify, baseline, and mitigate activity originating from dynamic, deniable covert networks to reduce the risk of organizational compromise.

CISA and partners recommend the following steps to protect against this threat:

Map and understand network edge devices, developing a clear understanding of organizational assets and what should be connected to them.
Baseline normal connections, especially to corporate VPNs or other similar devices.
Maintain log collection and storage solutions to assist with detecting and responding to unauthorized access attempts.
Implement multifactor authentication for remote connections.

For more information on Chinese government-linked threat actor activity, please visit CISA’s China Threat Overview and Advisories page. CISA also provides helpful resources on the Edge Device Security webpage.

Please share your thoughts with us through this anonymous survey. We appreciate your feedback.