Changeflow GovPing Data Privacy & Cybersecurity CISA and NCSC-UK Issue Joint Advisory on Chines...
Priority review Guidance Added Final

CISA and NCSC-UK Issue Joint Advisory on Chinese Government-Linked Cyber Threats

Favicon for www.cisa.gov US CISA News
Published
Detected
Email

Summary

CISA and the UK's NCSC, together with FBI, NSA, DoD Cyber Crime Center, and agencies from Australia, Canada, Germany, Netherlands, New Zealand, Japan, Spain, and Sweden, have released a joint advisory titled 'Defending Against China-Nexus Covert Networks of Compromised Devices.' The advisory details how Chinese state-sponsored actors Volt Typhoon and Flax Typhoon use botnets of compromised home/SOHO routers and IoT devices for espionage, intrusion, persistence, and data theft. Mitigation guidance includes mapping network edge devices, baselining normal VPN connections, maintaining log collection, and implementing MFA for remote access.

“CISA strongly encourages organizations to review and implement appropriate mitigation measures to defend their devices from this threat.”

CISA , verbatim from source
Published by CISA on cisa.gov . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors US CISA News for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 5 changes logged to date.

View original document View source feed page

What changed

CISA and NCSC-UK, co-sealed by FBI, NSA, DoD Cyber Crime Center, and international partners, released a joint advisory on Chinese state-sponsored cyber actors using covert networks of compromised devices for espionage and data theft. The advisory names Volt Typhoon and Flax Typhoon as threat actors leveraging botnets of home routers and IoT devices at scale.

Network defenders and critical infrastructure operators should review the advisory's mitigation recommendations and implement controls including MFA for remote access, network edge device mapping, connection baselining, and log collection. No compliance deadline is stated; the advisory is effective immediately upon review.

What to do next

  1. Implement multifactor authentication for remote connections
  2. Maintain log collection and storage solutions to assist with detecting and responding to unauthorized access attempts
  3. Baseline normal connections, especially to corporate VPNs or other similar services
  4. Map and understand network edge devices, developing a clear understanding of organizational assets and what should be connected to them

Archived snapshot

Apr 23, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Press Release

CISA, National Cyber Security Centre (NCSC) UK, and Global Partners Issue Advisory on Chinese Government-Linked Covert Cyber Networks

New advisory offers strategic guidance to combat threats to vulnerable devices Released

April 23, 2026

Related topics: Cybersecurity Best Practices, Cyber Threats and Response, Nation-State Threats WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC-UK), together with federal and international partners, have released a new cybersecurity advisory titled “ Defending Against China-Nexus Covert Networks of Compromised Devices.” This advisory equips network defenders with vital tools and resources to combat the threat posed by Chinese government-linked threat actors’ use of covert networks of compromised devices.

“Working closely with U.S. and international partners, CISA continues to identify and warn organizations of Chinese state-sponsored cyber actors threatening critical infrastructure. This advisory informs organizations of how these actors are strategically using numerous, evolving covert networks at scale for malicious cyber activity,” said CISA Acting Director Nick Andersen. “CISA strongly encourages organizations to review and implement appropriate mitigation measures to defend their devices from this threat. Every day, CISA works to empower organizations with actionable information to strengthen their security and resilience against cyber threats.”

The advisory explains how attackers create hidden networks by taking advantage of weak devices, like those used at home or in small offices, as well as Internet of Things (IoT) gadgets. It also describes how groups such as Volt Typhoon and Flax Typhoon use large groups of hijacked devices, called botnets, to hide who they are and carry out spying, break-ins, controlling devices, and stealing data.

Cyber defenders are provided with comprehensive guidance to identify, baseline, and mitigate activity from dynamic and deniable covert networks, aimed at reducing the risk of organizational compromise.

To strengthen defenses, CISA and partners advise organizations to:

  • Map and understand network edge devices, developing a clear understanding of organizational assets and what should be connected to them.
  • Baseline normal connections, especially to corporate VPNs or other similar services.
  • Maintain log collection and storage solutions to assist with detecting and responding to unauthorized access attempts.
  • Implement multifactor authentication for remote connections. Visit CISA’s China Threat Overview and Advisories page for details on Chinese government-linked threat actors. For edge device security resources, see CISA’s Edge Device Security page.

This advisory is co-sealed by Federal Bureau of Investigation, National Security Agency, Department of Defense Cyber Crime Center and agencies from Australia, Canada, Germany, Netherlands, New Zealand, Japan, Spain, and Sweden.

About CISA

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to manage, uncover, and reduce risk to our digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on X , Facebook , LinkedIn , Instagram .

Related Articles

Apr 20, 2022

Press Release

CISA, FBI, NSA, and International Partners Issue Advisory on Demonstrated Threats and Capabilities of Russian State-Sponsored and Cyber Criminal Actors

Mar 24, 2022

Press Release

CISA, FBI and DOE Publish Advisory With Historical Cyber Activity Used by Indicted Russian State-Sponsored Actors

Feb 16, 2022

Press Release

New Cybersecurity Advisory on Protecting Cleared Defense Contractor Networks Against Years-Long Activity by Russian State-Sponsored Actors

Feb 11, 2026

Press Release

CISA’s 2025 Year in Review: Driving Security and Resilience Across Critical Infrastructure

Mentioned entities

Cybersecurity and Infrastructure Security Agency National Security Agency

Related changes

Favicon for www.cisa.gov CISA Announces Virtual Town Halls on Cyber Incident Reporting Rulemaking for Critical Infrastructure
Routine Apr 20, 2026 US CISA News Data Privacy & Cybersecurity
Favicon for www.cisa.gov Joint Advisory Covers Volt Typhoon, Flax Typhoon Threat Actors Using Covert Networks of Compromised Devices
Priority review Apr 23, 2026 CISA Cybersecurity Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov Iranian APT Actors Exploit Rockwell PLCs Across US Critical Infrastructure
Priority review Apr 08, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity

Get daily alerts for US CISA News

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.cisa.gov
US CISA News cisa.gov/news-events/news
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CISA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CISA
Published
April 23rd, 2026
Instrument
Guidance
Branch
Executive
Joint with
NCSC-UK FBI NSA DoD Cyber Crime Center
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
AA26-113a

Who this affects

Applies to
Government agencies Healthcare providers Financial advisers
Industry sector
9211 Government & Public Administration
Activity scope
Network security monitoring Botnet defense Nation-state threat response
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Sanctions Critical Infrastructure National Security

Browse Categories

Agriculture & Food Safety 83 AI Regulation 3 Banking & Finance 508 Consumer Protection 141 Courts & Legal 495 Data Privacy & Cybersecurity 150 Defense & National Security 53 Education 64 Energy 134 Environment 173 Gaming 2 Government & Legislation 529 Healthcare 15 Healthcare & Life Sciences 406 Immigration 11 Insurance 90 Labor & Employment 196 Pharma & Drug Safety 21 Professional Licensing 6 Real Estate & Housing 75 Securities & Markets 176 Tax 119 Telecom & Technology 55 Trade & Sanctions 167 Transportation 127

Get alerts for this source

We'll email you when US CISA News publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!