International cyber agencies are calling on organisations to understand and better defend against covert networks made up of smart routers and IoT devices.

To help defend against the cyber threat from covert networks, the 16 international organisation across ten countries published joint advice last week.

The advisory highlights how to defend against these attacker tactics which are believed to be used by the majority of China-linked actors to obscure malicious cyber activity.

Covert networks are often made up of vulnerable everyday internet-connected edge devices, such as home routers and smart devices, that have been compromised. These networks are being leveraged at scale to target critical sectors globally, steal sensitive data and maintain persistent access.

The advisory is designed to assist organisations with the latest protective advice. It includes comprehensive mitigation advice to help defend against activity originating from a covert network. It also warns of a key issue for network defenders: IoC extinction, where indicators of compromise disappear as quickly as they are discovered, requiring more adaptive, intelligence-driven measures to mitigate the risks.

The joint advisory consolidates insights and proactive advice from across the international cyber security community to help network defenders combat the use of covert networks. In recent years, there has been a deliberate shift in cyber groups based in China using these networks to hide their malicious activity in an attempt to avoid accountability.

The advisory has been issued by 16 agencies:

• Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC)
• Communications Security Establishments Canada’s (CSE’s) Canadian Centre for Cyber Security (Cyber Centre)
• Germany Federal Office for the Protection of the Constitution; Bundesamt für Verfassungsschutz (BfV)
• Germany Federal Intelligence Service; Bundesnachrichtendienst (BND)
• Germany Federal Office for Information Security; Bundesamt für Sicherheit in der Informationstechnik (BSI)
• Japan National Cybersecurity Office (NCO)
• Netherlands General Intelligence & Security Service; Algemene Inlichtingen-en Veiligheidsdienst (AIVD)
• Netherlands Defence Intelligence and Security Service; Militaire Inlichtingen- en Veiligheidsdienst (MIVD)
• New Zealand National Cyber Security Centre (NCSC-NZ)
• Spain National Cryptologic Centre; Centro Criptológico Nacional (CCN)
• Sweden National Cyber Security Centre; Nationellt cybersäkerhetscenter (NCSC-SE)
• UK National Cyber Security Centre (NCSC), part of GCHQ
• US Cybersecurity & Infrastructure Security Agency (CISA)
• US Department of Defense Cyber Crime Center (DC3)
• US Federal Bureau of Investigation (FBI)
• US National Security Agency (NSA)

“Our new joint advisory consolidates insights and proactive advice from across the international cyber-security community to help network defenders combat the use of covert networks,” said Paul Chichester, NCSC director of operations. “In recent years, we have seen a deliberate shift in cyber groups based in China utilising these networks to hide their malicious activity in an attempt to avoid accountability. The NCSC will not shy away from shining a light on these techniques and we call on organisations to act now to better defend their critical assets.”

The advisory can be read at www.ncsc.gov.uk/news/defending-against-china-nexus-covert-networks-of-compromised-devices.

An executive summary is also available at: www.ncsc.gov.uk/news/executive-summary-defending-against-china-nexus-covert-networks-of-compromised-devices.