Covert Botnets Warning

A botnet is a crowd of hacked internet devices, and U.S. and allied agencies said on April 23 that China-linked operators are now using those crowds to hide cyberattacks at scale. (cisa.gov) The advisory was issued by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the National Security Agency and the Defense Department’s Cyber Crime Center with partners from the United Kingdom, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain and Sweden. It says the operators are routing activity through compromised small-office and home-office routers, Internet of Things gear and other smart devices. (cisa.gov) The agencies said China-linked groups have shifted over the past few years from renting or buying infrastructure to relying on “externally provisioned” networks of hijacked devices that are constantly refreshed. The U.K. National Cyber Security Centre said a single covert network can be shared by multiple actors, making attribution harder. (ncsc.gov.uk) In plain terms, the method works like using stolen cars for a getaway instead of your own. Investigators may still see the traffic, but the traffic appears to come from ordinary routers and cameras scattered across homes and small businesses. (cisa.gov) The warning landed as officials tied the tactic to known Chinese state-backed campaigns. The allied advisory said Volt Typhoon used covert networks to pre-position access on critical national infrastructure, while Flax Typhoon used a separate covert network for cyber espionage. (ncsc.gov.uk) This is not the first time agencies have pointed to router botnets in China-linked operations. In September 2024, the National Security Agency and allies warned that People’s Republic of China-linked actors had compromised routers and Internet of Things devices in a botnet that included thousands of U.S. devices. (nsa.gov) A separate U.S. warning this month showed a different risk: direct disruption of physical systems. On April 7, the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation said Iranian-affiliated actors were exploiting Rockwell Automation and Allen-Bradley programmable logic controllers at U.S. water, energy and municipal sites. (cisa.gov) Programmable logic controllers are industrial computers that open valves, start pumps and run machinery. The April 7 advisory said the Iranian-linked activity caused malicious changes on human-machine interface and supervisory control displays, the screens operators use to watch and control equipment. (cisa.gov) South Korea’s National Intelligence Service added a third warning on April 22, saying advanced artificial intelligence models are beginning to find software flaws and carry out hacking steps on their own. The agency said it issued a government-wide security advisory over risks from systems that can autonomously detect vulnerabilities and execute attacks. (upi.com) The common thread in the April warnings is less about one country than about how attacks are being delivered: through hijacked everyday devices, industrial control gear and increasingly automated software. The allied guidance told defenders to hunt for unusual traffic from edge devices, patch exposed equipment and assume that cheap routers and smart hardware can become part of someone else’s covert network. (cisa.gov)