Volt Typhoon builds massive router botnets
- CISA, the FBI, NSA and Britain’s National Cyber Security Centre on April 23 said China-linked hackers now route intrusions through giant botnets of hijacked routers. - The advisory said Flax Typhoon’s botnet topped 260,000 devices in June 2024, while Volt Typhoon used similar covert networks to pre-position access. - Agencies say blocklists alone miss these shifting networks and urged behavior-based detection instead. (cisa.gov)
A router botnet is a stolen crowd of internet-connected devices, and Western cyber agencies say China-linked hackers are now using those crowds at scale. (cisa.gov) (ncsc.gov.uk) On April 23, 2026, CISA, the Federal Bureau of Investigation, the National Security Agency and Britain’s National Cyber Security Centre published a joint advisory on what they called “covert networks” of compromised devices. (cisa.gov) (fbi.gov) Those networks are built mostly from small-office and home-office routers, plus internet-of-things and smart devices, then used as relay points so the real operator is harder to spot. (cisa.gov) (ncsc.gov.uk) The advisory said this is no longer a niche tactic. Britain’s NCSC said “the majority” of China-nexus threat actors are using these covert networks, with multiple botnets being created and constantly refreshed. (cisa.gov) (ncsc.gov.uk) Officials tied the warning to two already public cases. They said Volt Typhoon used covert networks to pre-position offensive cyber capabilities on critical national infrastructure, while Flax Typhoon used a different network for espionage. (cisa.gov 1) (cisa.gov 2) In Flax Typhoon’s case, U.S. authorities had already described a botnet run by Beijing-based Integrity Technology Group that had stayed active since mid-2021. As of June 2024, that botnet contained more than 260,000 compromised devices. (fbi.gov) (justice.gov) The agencies said defenders should stop treating internet addresses as a reliable tell. These botnets rotate devices, blend into normal residential and business traffic, and can be shared by more than one hacking group. (cisa.gov) (ncsc.gov.uk) Instead, the advisory told network teams to baseline normal traffic, watch for unusual authentication and management activity, and prioritize patching and replacing exposed devices, especially equipment near end of life. (cisa.gov 1) (cisa.gov 2) CISA’s news release said the same infrastructure can support espionage, data theft, account compromise and distributed denial-of-service attacks. The point of the botnet is not just scale, but deniability. (cisa.gov) (fbi.gov) The latest warning pushes the story past one named group or one takedown. The agencies are describing a broader operating model they say now runs across much of China-linked cyber activity. (cisa.gov) (ncsc.gov.uk)
