(TLP:CLEAR) Joint Cybersecurity Advisory – Defending Against China-Nexus Covert Networks of Compromised Devices

Summary: Today, CISA and several international partners released a joint cybersecurity advisory (JCSA) warning of China-nexus cyber actors leveraging large-scale “covert networks” of compromised devices, including small office/home office (SOHO) routers and internet-of-things (IoT) systems, to conduct cyber operations. These networks are used to obscure attribution and support activities across the cyber kill chain, including reconnaissance, command-and-control (C2), and data exfiltration. Given the persistent targeting of critical infrastructure, including water and wastewater systems, WaterISAC encourages members to review the JCSA and implement recommended defense measures.

Analyst Note: The advisory highlights a notable evolution in Chinese state-sponsored cyber operations, shifting away from dedicated infrastructure toward dynamic, distributed networks of compromised devices. These covert networks, often comprised of end-of-life or poorly secured edge devices, enable threat actors to blend malicious activity with legitimate traffic and rapidly rotate infrastructure, reducing the effectiveness of traditional IOC-based defenses such as static IP blocklists.

Notably, these networks have been associated with activity from groups such as Volt Typhoon and Flax Typhoon, which have targeted critical infrastructure to pre-position access and conduct espionage. The use of geographically proximate “exit-nodes” further complicates detection, as traffic may appear regionally legitimate.

For water utilities, this reinforces several longstanding risk theories:

• The increased risk from internet-facing edge devices (e.g., routers, firewalls, VPN appliances).
• The growing challenge of distinguishing legitimate from malicious traffic.
• The limitations of relying solely on traditional perimeter and static indicators.

Additionally, the advisory underscores the concept of “IOC extinction,” in which the scale and dynamism of these networks render IP-based blocking less effective. Instead, defenders must prioritize behavioral analysis, network baselining, and identity-based controls.

Mitigation Considerations:

In light of this activity, WaterISAC encourages members to strengthen foundational cybersecurity practices and adapt defenses to account for dynamic, distributed threat infrastructure. Members are encouraged to consider:

• Developing and maintaining a comprehensive inventory of network edge devices and external connections
• Baselining normal network activity, particularly for VPN and remote access services
• Implementing multifactor authentication (MFA) for all remote access points
• Reducing exposure of internet-facing assets wherever possible
• Leveraging dynamic threat intelligence feeds rather than static blocklists
• Applying allow-listing approaches for remote access (e.g., IP, geography, device profiling) where feasible
• Enhancing monitoring and anomaly detection capabilities, including use of NetFlow and behavioral analytics
• Ensuring timely patching and replacement of end-of-life devices, particularly SOHO and IoT systems

Members with more advanced capabilities are encouraged to consider adopting zero trust architectures, actively hunting for anomalous connections from consumer or unexpected IP ranges, and tracking covert network infrastructure as part of ongoing threat intelligence efforts.

Original Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-113a

Additional Reading:

• A dozen allied agencies say China is building covert hacker networks out of everyday routers

Related WaterISAC PIRs: 6, 7, 7.1, 10, 10.1, 10.2, 12