June 8, 2026 NCSC’s China-Nexus Advisory & Identity-Centric Defense 

How are China-nexus cyber operations using compromised consumer devices to evade network defenses?

By Shane Barney, Chief Information Security Officer, Keeper Security

China-nexus threat actors are increasingly routing operations through large, covert networks of compromised SOHO routers, IoT and edge devices so malicious traffic blends with legitimate consumer activity. This tactic undermines IP-based assumptions in network defense and forces a shift toward identity-centric controls that validate users and machines rather than relying on static infrastructure blocks.

At a Glance

• Threat actors route activity through compromised SOHO routers, IoT and edge devices to blend with legitimate traffic.
• Large, dynamic botnets (e.g., KV Botnet, Raptor Train) enable persistent, multi-actor use for reconnaissance and exfiltration.
• Static IP blocklists and traditional indicators of compromise are increasingly ineffective.
• Identity-centric defenses including Multi-Factor Authentication (MFA), connection baselining, zero-trust policies, machine certificates and behavioral profiling are essential.
• Non-Human Identities (NHIs) require the same strong authentication and governance as human users.

Key Insights

1. Covert consumer-device networks – Adversaries use compromised SOHO routers, IoT and edge devices to make malicious traffic appear as normal consumer-originated activity.
2. Scale and persistence amplify risk – Campaigns like Volt Typhoon and Flax Typhoon leverage large, refreshed device networks that multiple actors can reuse for different stages of operations.
3. Indicators of compromise are eroding – Reliance on IP-based blocklists and static indicators fail against dynamic, geographically blended infrastructures.
4. Identity becomes the control plane – Enforcing least privilege, securing admin credentials and continuous session validation are required when traffic cannot be distinguished by origin.
5. Machine identities must be governed – Machine certificates, continuous secrets rotation, and governance for NHIs are necessary to reduce persistent, poorly governed access.

“When adversary activity can appear indistinguishable from legitimate user traffic, enforcing least-privilege access, securing administrative credentials and continuously validating sessions become essential.”

– Shane Barney, CISO, Keeper Security

Supporting Analysis

The NCSC advisory highlights campaigns that pre-position on critical infrastructure and use hundreds of thousands of compromised devices for espionage and command-and-control. These infrastructures are dynamic, continuously refreshed, and shared by multiple actors, which prevents defenders from treating them as static targets. Because malicious traffic can appear to originate from the same region as the target, defenders must move beyond perimeter and IP-based controls to validate who and what is accessing systems.

The advisory’s recommended controls – MFA, connection baselining, zero trust, machine certificates and behavioral profiling – are identity-centric measures that authenticate both users and machines. NHIs such as service accounts and machine credentials often carry persistent access with limited governance; applying strong authentication, least privilege and continuous secrets rotation to NHIs reduces their attractiveness as targets. Organizations should also baseline VPN connections and scrutinize access from consumer broadband ranges to limit exposure from compromised residential devices.

For federal agencies, defense organizations and operators of critical infrastructure, this marks a continued shift toward identity as the primary control plane. When adversary activity can appear indistinguishable from legitimate user traffic, enforcing least-privilege access, securing administrative credentials and continuously validating sessions become essential.

Expert Analysis

The recent CISA advisory, Defending Against China-Nexus Covert Networks of Compromised Devices, explains that the use of covert networks of compromised devices – also known as botnets – to facilitate malicious cyber activity is not new, but China-nexus cyber actors are now using them strategically and at scale.

Conclusion

China-nexus operations exploiting compromised consumer devices render traditional network-origin defenses insufficient. Organizations must adopt identity-centric controls and rigorous governance for both human and NHIs to maintain resilient access and reduce asymmetric advantages for attackers.

About the Author:
Shane Barney is the Chief Information Security Officer at Keeper Security, the leading zero-trust and zero-knowledge identity security and Privileged Access Management (PAM) platform.

Subscribe to Industry Today