- GCHQ’s National Cyber Security Centre with UK industry and 15 international partners shine light on best protections against methods used by China-linked threat actors.
- Covert networks, often made up of compromised devices such as smart devices, are being used to disguise the origins and attributions of cyber attacks.
- Organisations urged to follow the protective advice outlined in the new advisory launched on Day Two of CYBERUK 2026 conference to combat this risk.
International cyber agencies are calling on organisations to understand and better defend against the cyber threat from covert networks by following new joint advice published today (Thursday).
The National Cyber Security Centre (NCSC) – a part of GCHQ – alongside industry and 15 international partners from across nine other countries, have issued a new advisory, highlighting how to defend against these attacker tactics which are believed to be used by the majority of China-linked actors to obscure malicious cyber activity.
Covert networks are often made up of vulnerable everyday internet-connected edge devices, such as home routers and smart devices, that have been compromised. These networks are being leveraged at scale to target critical sectors globally, steal sensitive data, and maintain persistent access.
The new advisory, produced with members of the NCSC’s Cyber League programme with industry, has been published on the second day of the UK government’s flagship CYBERUK conference and is designed to assist organisations with the latest protective advice.
It includes comprehensive mitigation advice to help defend against activity originating from a covert network.
It also warns of a key issue for network defenders: IOC extinction, where indicators of compromise disappear as quickly as they are discovered, requiring more adaptive, intelligence-driven measures to mitigate the risks.
Our new joint advisory consolidates insights and proactive advice from across the international cyber security community to help network defenders combat the use of covert networks.
In recent years, we have seen a deliberate shift in cyber groups based in China utilising these networks to hide their malicious activity in an attempt to avoid accountability.
The NCSC will not shy away from shining a light of these techniques and we call on organisations to act now to better defend their critical assets.
Paul Chichester, NCSC Director of Operations
The advisory describes how covert networks used by China-linked actors are being created and maintained, externally, by Chinese information security companies.
In September 2024, alongside international partners, the NCSC called out, an information security company based in China, Integrity Technology Group, for controlling and managing a botnet, which was utilised by Flax Typhoon.
In December 2025, the UK government sanctioned Integrity Technology Group alongside another China-based information security company, for their reckless and indiscriminate malicious cyber activity against the UK and its allies.
Small organisations are encouraged to use the free Cyber Action Toolkit, with larger organisations encouraged to secure Cyber Essentials certification and use the updated Cyber Assessment Framework.
The advisory has been issued by the NCSC alongside the Cyber League and 15 co-sealing agencies, including:
- Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC)
- Communications Security Establishments Canada’s (CSE’s) Canadian Centre for Cyber Security (Cyber Centre)
- Germany Federal Office for the Protection of the Constitution – Bundesamt für Verfassungsschutz (BfV)
- Germany Federal Intelligence Service – Bundesnachrichtendienst (BND)
- Germany Federal Office for Information Security – Bundesamt für Sicherheit in der Informationstechnik (BSI)
- Japan National Cybersecurity Office (NCO) – 国家サイバー統括室
- Netherlands General Intelligence and Security Service – Algemene Inlichtingen- en Veiligheidsdienst (AIVD)
- Netherlands Defence Intelligence and Security Service – Militaire Inlichtingen- en Veiligheidsdienst (MIVD)
- New Zealand National Cyber Security Centre (NCSC-NZ)
- Spain National Cryptologic Centre – Centro Criptológico Nacional (CCN)
- Sweden National Cyber Security Centre – Nationellt cybersäkerhetscenter (NCSC-SE)
- United States Cybersecurity and Infrastructure Security Agency (CISA)
- United States Department of Defense Cyber Crime Center (DC3)
- United States Federal Bureau of Investigation (FBI)
- United States National Security Agency (NSA)
It can be read on the NCSC website: https://www.ncsc.gov.uk/news/defending-against-china-nexus-covert-networks-of-compromised-devices
An executive summary is also available on the NCSC website: https://www.ncsc.gov.uk/news/executive-summary-defending-against-china-nexus-covert-networks-of-compromised-devices
