International Cyber Agencies Publish Joint Advisory on Defending Against China-Linked Covert Networks

News Download & print article PDF

International cyber agencies share fresh advice to defend against China-linked covert networks

New advisory highlights how to defend against attacker tactics believed to be used by the majority of China-linked actors to hide malicious cyber activity.

• GCHQ’s National Cyber Security Centre with UK industry and 15 international partners shine light on best protections against methods used by China-linked threat actors.
• Covert networks, often made up of compromised devices such as smart devices, are being used to disguise the origins and attributions of cyber attacks.
• Organisations urged to follow the protective advice outlined in the new advisory launched on Day Two of CYBERUK 2026 conference to combat this risk. International cyber agencies are calling on organisations to understand and better defend against the cyber threat from covert networks by following new joint advice published today (Thursday).

The National Cyber Security Centre (NCSC) – a part of GCHQ – alongside industry and 15 international partners from across nine other countries, have issued a new advisory, highlighting how to defend against these attacker tactics which are believed to be used by the majority of China-linked actors to obscure malicious cyber activity.

Covert networks are often made up of vulnerable everyday internet-connected edge devices, such as home routers and smart devices, that have been compromised. These networks are being leveraged at scale to target critical sectors globally, steal sensitive data, and maintain persistent access.

The new advisory, produced with members of the NCSC’s Cyber League programme with industry, has been published on the second day of the UK government’s flagship CYBERUK conference and is designed to assist organisations with the latest protective advice.

It includes comprehensive mitigation advice to help defend against activity originating from a covert network.

It also warns of a key issue for network defenders: IOC extinction, where indicators of compromise disappear as quickly as they are discovered, requiring more adaptive, intelligence-driven measures to mitigate the risks.

Our new joint advisory consolidates insights and proactive advice from across the international cyber security community to help network defenders combat the use of covert networks.

In recent years, we have seen a deliberate shift in cyber groups based in China utilising these networks to hide their malicious activity in an attempt to avoid accountability.

The NCSC will not shy away from shining a light of these techniques and we call on organisations to act now to better defend their critical assets.

Paul Chichester, NCSC Director of Operations
The advisory describes how covert networks used by China-linked actors are being created and maintained, externally, by Chinese information security companies.

In September 2024, alongside international partners, the NCSC called out, an information security company based in China, Integrity Technology Group, for controlling and managing a botnet, which was utilised by Flax Typhoon.

In December 2025, the UK government sanctioned Integrity Technology Group alongside another China-based information security company, for their reckless and indiscriminate malicious cyber activity against the UK and its allies.

Small organisations are encouraged to use the free Cyber Action Toolkit, with larger organisations encouraged to secure Cyber Essentials certification and use the updated Cyber Assessment Framework.

The advisory has been issued by the NCSC alongside the Cyber League and 15 co-sealing agencies, including:

• Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC)
• Communications Security Establishments Canada's (CSE's) Canadian Centre for Cyber Security (Cyber Centre)
• Germany Federal Office for the Protection of the Constitution -  Bundesamt für Verfassungsschutz (BfV)
• Germany Federal Intelligence Service – Bundesnachrichtendienst (BND)
• Germany Federal Office for Information Security - Bundesamt für Sicherheit in der Informationstechnik (BSI)
• Japan National Cybersecurity Office (NCO) - 国家サイバー統括室
• Netherlands General Intelligence and Security Service - Algemene Inlichtingen- en Veiligheidsdienst (AIVD)
• Netherlands Defence Intelligence and Security Service - Militaire Inlichtingen- en Veiligheidsdienst (MIVD)
• New Zealand National Cyber Security Centre (NCSC-NZ)
• Spain National Cryptologic Centre – Centro Criptológico Nacional (CCN)
• Sweden National Cyber Security Centre - Nationellt cybersäkerhetscenter (NCSC-SE)
• United States Cybersecurity and Infrastructure Security Agency (CISA)
• United States Department of Defense Cyber Crime Center (DC3)
• United States Federal Bureau of Investigation (FBI)
• United States National Security Agency (NSA) It can be read on the NCSC website: https://www.ncsc.gov.uk/news/defending-against-china-nexus-covert-networks-of-compromised-devices

An executive summary is also available on the NCSC website: https://www.ncsc.gov.uk/news/executive-summary-defending-against-china-nexus-covert-networks-of-compromised-devices

Download & print article PDF Share Share Facebook LinkedIn X Copy Link

Published

23 April 2026

Written for

Cyber security professionals Large organisations Public sector

News type

General news

Was this article helpful?

• Yes
• No Back to top Share Facebook LinkedIn X Copy Link ## Also see

I've received a threatening message.
News

Organisations should map and baseline their edge device traffic, especially VPN and remote access connections, and adopt dynamic threat feed filtering that includes known covert network indicators. News

Explaining the widespread shift in tactics, techniques and procedures (TTPs) towards networks of compromised infrastructure, and how to defend against it