UK NCSC flags China-linked botnets

Routers are the story here — not in the abstract, but the cheap home and small-office boxes that sit at the edge of the internet and usually get ignored. The UK’s National Cyber Security Centre said on April 23 that China-linked threat actors are now leaning on huge “covert networks” of compromised routers and smart devices to hide where attacks come from and keep access alive. That matters because this is aimed at real targets — critical sectors, sensitive data, and long-term footholds inside networks. Then, a week later, the NCSC added a second warning: AI is about to make the patching problem worse, not better. ### What actually changed? The shift is from rented or individually procured attack infrastructure to botnets built from hacked edge devices. The NCSC says this is now the default model for China-nexus operators, not a niche trick. It also says multiple covert networks exist at once, they are constantly updated, and the same network can be shared across different threat groups. That makes attribution harder and blocking harder — basically, defenders are chasing a moving swarm instead of a fixed set of servers. (ncsc.gov.uk) ### Why do routers matter so much? Because routers and other edge devices are perfect camouflage. They sit on the perimeter, they often run old firmware, and many never get patched after installation. If an attacker can bounce traffic through thousands of those devices, the traffic looks less like a state operation and more like random internet noise. The NCSC says these covert networks can support the whole attack chain — reconnaissance, malware delivery, command-and-control, and data theft. (ncsc.gov.uk) ### Who is the UK pointing at? The language is careful, but the direction is not. The advisory says the majority of China-linked actors are believed to use these covert networks. It also ties the tactic to known campaigns like Volt Typhoon, which used compromised infrastructure to pre-position access against critical national infrastructure, and it points back to the September 2024 exposure of Integrity Technology Group in China for managing a botnet used by Flax Typhoon. (ncsc.gov.uk) ### What’s the nasty technical catch? The NCSC calls it “IOC extinction.” That means indicators of compromise — IPs, domains, device fingerprints — disappear as quickly as defenders discover them because the botnet keeps refreshing itself. Old-school blocking still helps, but on its own it breaks down fast. The advice is to map and baseline edge-device traffic, especially VPN and remote-access connections, use dynamic threat feeds, and add stronger controls like MFA, allow lists, machine certificates, and zero-trust checks. (ncsc.gov.uk) ### Where does AI come into this? In a separate May 1 blog post, NCSC CTO Ollie Whitehouse warned that AI is speeding up vulnerability discovery across decades of accumulated technical debt. The point is not that AI created the weaknesses. The weaknesses were already there. AI just helps skilled attackers find and operationalize them faster, which compresses the time between disclosure and exploitation. That is why the NCSC is telling organizations to prepare for a “vulnerability patch wave.” (ncsc.gov.uk) ### So what should defenders do first? Start at the perimeter. The NCSC’s advice is blunt: prioritize internet-facing systems, then work inward across cloud and on-prem environments. Prepare to patch faster, more often, and at scale — including through suppliers. If a device is end-of-life and exposed, the answer may be replacement, not heroic monitoring. And for organizations at higher risk, the NCSC is pushing better observability and active threat hunting, because you cannot hunt what you cannot see. (ncsc.gov.uk) ### Why this matters now This is not just another botnet warning. It is a warning that infrastructure used for espionage and disruption is getting cheaper, deniable, and more disposable at the same moment AI is making latent bugs easier to surface. Put those together and the defender’s job changes — fewer static blocklists, more continuous visibility, faster remediation, and much less tolerance for forgotten edge gear. (ncsc.gov.uk) ### Bottom line The UK is saying two things at once. China-linked operators are hiding inside giant router botnets now, and the coming flood of newly exposed vulnerabilities will make that kind of activity easier to sustain unless organizations get much faster at seeing and patching what is exposed. (ncsc.gov.uk 1) (ncsc.gov.uk 2)