10 countries including UK and US warn: China secretly hacks smart devices to build large malicious networks
Ten countries, including the US, UK, and Japan, warned that China-linked hackers are building botnets using compromised smart devices like home routers to obscure their cyberattacks on global critical infrastructure.
📋 Article Processing Timeline
- 📰 Published: April 24, 2026 at 20:42
- 🔍 Collected: April 24, 2026 at 21:02 (20 min after Published)
- 🤖 AI Analyzed: April 24, 2026 at 21:56 (53 min after Collected)
(Central News Agency reporter Chen Yun-yu, London, 24th) A total of 10 countries, including the UK, US, and Japan, jointly warned that malicious actors linked to China often exploit relatively easily compromised network equipment, such as smart devices like mobile phones, to hide the actual origins of their cyberattacks, making attribution more difficult. These malicious actors include cybersecurity companies based in or linked to China.
Agencies participating in issuing this warning include the UK's National Cyber Security Centre (NCSC), the Australian Cyber Security Centre (ACSC), Canada's Cyber Centre, Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI), Japan's National center of Incident readiness and Strategy for Cybersecurity (NISC), and the Netherlands' Military Intelligence and Security Service (MIVD).
Additionally, New Zealand's National Cyber Security Centre (NCSC-NZ), Spain's National Cryptologic Centre (CCN), Sweden's National Cybersecurity Centre (NCSC-SE), as well as the US Federal Bureau of Investigation (FBI), National Security Agency (NSA), Department of Defense Cyber Crime Center (DC3), and Cybersecurity and Infrastructure Security Agency (CISA) joined. Each agency has respectively published preventive measures and operational recommendations domestically.
The UK's NCSC pointed out that malicious actors often use network edge devices, which are relatively easy to compromise and commonly found in daily life, to construct networks for covert operations. These edge devices range from home routers to various smart electronics, and users are highly unlikely to realize their devices have been compromised.
The NCSC warned that malicious actors are "massively" utilizing covert operational networks built using such methods to target critical sectors capable of imposing substantial impacts on national security, economic activities, and citizens' daily lives globally.
These covert networks are also used to steal sensitive data while maintaining persistent intrusion.
The NCSC emphasized that the continuous upgrading of cyberattack methods highlights that traditional threat detection based primarily on Indicators of Compromise (IoC) and known evidence is failing after many years.
Malicious actors can quickly launch attacks using dynamic IP addresses and other rapidly changing, randomly generated paths; even if a hacked system detects an IoC, the IoC may disappear instantly, causing the difficulty of cybersecurity defense to rise sharply.
NCSC Director of Operations Paul Chichester stated that in recent years, China-based cyber groups have "deliberately" increased their use of such malicious networks to hide their tracks and evade responsibility. However, the NCSC will not shy away from exposing these techniques and urges all sectors to take immediate action to enhance the protection of critical assets.
According to NCSC's threat analysis, these malicious networks can be used to execute every phase of the cyberattack kill chain, including target reconnaissance, malware delivery, command and control, and data exfiltration. Not only can they adjust dynamically and rapidly, but their costs are also relatively low.
In September 2024, the UK's NCSC, along with the US, Australia, Canada, and others, exposed the botnet used by "Flax Typhoon," a hacker group linked to the Chinese government. The entity behind operating the botnet is the Beijing-based cybersecurity firm "Integrity Technology Group." A botnet occurs when compromised network devices become puppets controlled by hackers to launch attacks.
According to the company's official website, Integrity Technology Group is a state-level "little giant" enterprise in China, with a vision of "bringing a sense of security to the world."
Last December, the UK government announced sanctions against Integrity Technology Group in response to its "reckless and indiscriminate" malicious cyber activities against the UK and its allies.
According to historical cybersecurity analysis by Microsoft, Flax Typhoon's targets also encompass Taiwanese organizations. It involves persistent intrusions using minimal malware, primarily exploiting built-in tools within the Taiwanese organizations' systems to lie dormant unnoticed for long periods, including carrying out potential espionage activities.
Agencies participating in issuing this warning include the UK's National Cyber Security Centre (NCSC), the Australian Cyber Security Centre (ACSC), Canada's Cyber Centre, Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI), Japan's National center of Incident readiness and Strategy for Cybersecurity (NISC), and the Netherlands' Military Intelligence and Security Service (MIVD).
Additionally, New Zealand's National Cyber Security Centre (NCSC-NZ), Spain's National Cryptologic Centre (CCN), Sweden's National Cybersecurity Centre (NCSC-SE), as well as the US Federal Bureau of Investigation (FBI), National Security Agency (NSA), Department of Defense Cyber Crime Center (DC3), and Cybersecurity and Infrastructure Security Agency (CISA) joined. Each agency has respectively published preventive measures and operational recommendations domestically.
The UK's NCSC pointed out that malicious actors often use network edge devices, which are relatively easy to compromise and commonly found in daily life, to construct networks for covert operations. These edge devices range from home routers to various smart electronics, and users are highly unlikely to realize their devices have been compromised.
The NCSC warned that malicious actors are "massively" utilizing covert operational networks built using such methods to target critical sectors capable of imposing substantial impacts on national security, economic activities, and citizens' daily lives globally.
These covert networks are also used to steal sensitive data while maintaining persistent intrusion.
The NCSC emphasized that the continuous upgrading of cyberattack methods highlights that traditional threat detection based primarily on Indicators of Compromise (IoC) and known evidence is failing after many years.
Malicious actors can quickly launch attacks using dynamic IP addresses and other rapidly changing, randomly generated paths; even if a hacked system detects an IoC, the IoC may disappear instantly, causing the difficulty of cybersecurity defense to rise sharply.
NCSC Director of Operations Paul Chichester stated that in recent years, China-based cyber groups have "deliberately" increased their use of such malicious networks to hide their tracks and evade responsibility. However, the NCSC will not shy away from exposing these techniques and urges all sectors to take immediate action to enhance the protection of critical assets.
According to NCSC's threat analysis, these malicious networks can be used to execute every phase of the cyberattack kill chain, including target reconnaissance, malware delivery, command and control, and data exfiltration. Not only can they adjust dynamically and rapidly, but their costs are also relatively low.
In September 2024, the UK's NCSC, along with the US, Australia, Canada, and others, exposed the botnet used by "Flax Typhoon," a hacker group linked to the Chinese government. The entity behind operating the botnet is the Beijing-based cybersecurity firm "Integrity Technology Group." A botnet occurs when compromised network devices become puppets controlled by hackers to launch attacks.
According to the company's official website, Integrity Technology Group is a state-level "little giant" enterprise in China, with a vision of "bringing a sense of security to the world."
Last December, the UK government announced sanctions against Integrity Technology Group in response to its "reckless and indiscriminate" malicious cyber activities against the UK and its allies.
According to historical cybersecurity analysis by Microsoft, Flax Typhoon's targets also encompass Taiwanese organizations. It involves persistent intrusions using minimal malware, primarily exploiting built-in tools within the Taiwanese organizations' systems to lie dormant unnoticed for long periods, including carrying out potential espionage activities.