9:30AM, 24 April 2026
TLP Rating:
Defending against China-nexus covert networks of compromised devices
The National Cyber Security Centre, alongside industry and 15 international partners from across nine other countries, has issued a new advisory, highlighting how to defend against these attacker tactics which are believed to be used by the majority of China-linked actors to obfuscate malicious cyber activity.
What's happening
Systems affected
Over the past few years there has been a major shift in the tactics, techniques and procedures (TTPs) used by China-nexus cyber actors, towards the use of externally provisioned, large-scale networks of compromised devices, or “covert networks”.
The use of covert networks of compromised devices to facilitate malicious cyber activity is not new, but China-nexus cyber actors are now using them strategically, and at scale.
Covert networks are mainly made up of compromised Small Office Home Office (SOHO) routers, as well as Internet of Things (IoT), smart devices, firewalls and Network Attached Storage (NAS) devices.
This advisory describes the typical makeup of a covert network and what they are being used for. It also includes protective advice for organisations being targeted by cyber activity using a covert network as an access vector.
More information
Download the advisory. [PDF, 627 KB]
If you require more information or further support, submit a report on our website:
Report an incident. External Li.External L.
If you need assistance using the tool, call us on 0800 114 115. Calling us is free within New Zealand. We’re open 7am to 7pm, Monday to Friday, and we’re closed on public holidays.
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.