International cyber agencies share fresh advice to defend against China-linked covert networks

Key Takeaways

• China-linked threat actors are increasingly utilizing covert networks of compromised edge devices (e.g., home routers, smart devices) to obscure their malicious activity.
• Defenders face the challenge of 'IOC extinction,' where indicators of compromise disappear rapidly, rendering static blocklists less effective.
• Integrity Technology Group, a Chinese information security company, was sanctioned for managing a botnet utilized by the Flax Typhoon threat group.
• Organizations are strongly advised to map and baseline their edge device traffic, particularly VPN and remote access connections.
• Dynamic threat feed filtering that includes known covert network indicators should be adopted to counter these evasive tactics.

Affected Systems

• Edge devices
• Home routers
• Smart devices
• Internet-connected devices

Attack Chain

Threat actors compromise vulnerable, everyday internet-connected edge devices such as home routers and smart devices. These compromised devices are aggregated into covert networks or botnets, managed externally by entities like Chinese information security companies. The actors then route their malicious traffic through this infrastructure to target critical sectors globally, steal sensitive data, and maintain persistent access while obscuring their true origins and causing rapid IOC extinction.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, but advises organizations to adopt dynamic threat feed filtering and baseline their edge device traffic.

Detection Engineering Assessment

EDR Visibility: Low — The malicious activity originates from compromised edge devices (e.g., SOHO routers, IoT devices) which typically do not support standard EDR agent installation. Network Visibility: High — Detection relies heavily on monitoring network traffic, specifically baselining VPN and remote access connections originating from or passing through edge devices. Detection Difficulty: Hard — The use of covert networks and the phenomenon of 'IOC extinction' means static indicators are unreliable, requiring continuous behavioral baselining and dynamic analysis.

Required Log Sources

• Firewall logs
• VPN logs
• NetFlow/IPFIX
• DNS logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Anomalous spikes in remote access or VPN traffic originating from unexpected consumer ISP ranges or known SOHO router IP spaces.	VPN logs, Firewall logs	Command and Control	Medium

Control Gaps

• Lack of visibility into edge and IoT device integrity
• Over-reliance on static IOCs that suffer from rapid extinction

Key Behavioral Indicators

• Anomalous VPN connection patterns
• Traffic originating from known compromised SOHO device ranges

False Positive Assessment

• Medium

Recommendations

Immediate Mitigation

• Map and baseline edge device traffic, especially VPN and remote access connections.
• Adopt dynamic threat feed filtering that includes known covert network indicators.

Infrastructure Hardening

• Secure and patch internet-connected edge devices and home routers.
• Implement the Cyber Assessment Framework for large organizations to ensure robust network architecture.

User Protection

• Ensure remote workers secure their home routers and smart devices, including changing default credentials and applying firmware updates.

Security Awareness

• Educate security teams on the concept of 'IOC extinction' and the necessity of adaptive, intelligence-driven defense measures.
• Encourage small organizations to utilize the free Cyber Action Toolkit.

MITRE ATT&CK Mapping

• T1584.005 - Compromise Infrastructure: Botnet
• T1090.002 - Proxy: External Proxy
• T1133 - External Remote Services