NSA/CSS - National Security Agency - Central Security Service
04/23/2026 | Press release | Distributed by Public on 04/23/2026 09:14
NSA and Others Release Joint Guidance Addressing Multiple China-Nexus Threat Actors Using External Covert Networks to Facilitate Cyber Activity at Scale
FORT MEADE, Md. (April 23, 2026) - The National Security Agency (NSA) joined the United Kingdom's National Cyber Security Centre, the Australian Signals Directorate's Australian Cyber Security Centre, and others today in releasing the joint Cybersecurity Advisory, "Defending against China-nexus covert networks of compromised devices."
The CSA details how multiple China-nexus threat actors are now using external covert networks to facilitate malicious cyber activity strategically, at scale. These dynamic covert networks include botnets that leverage many compromised devices to connect across the internet in a low-cost, low-risk, deniable way, disguising the origin and attribution of malicious activity. These botnets frequently include compromised small office/home office network infrastructure (routers, firewalls, network attached storage, etc.) and internet of things devices (web cameras, video recorders, smart devices, etc.).
While many new covert infrastructure networks are regularly developed and deployed for use by multiple China-nexus threat actors, existing networks are also updated because of defensive or legal action, software updates, or new exploits being used to target different technologies, according to the CSA. This renders a detailed list of all known networks (how they are constructed and communicated) and previous defense paradigms ineffective. Legitimate users also browse the internet using the networks and devices involved, making attribution of the malicious activity challenging. However, since most networks of compromised infrastructure use the same basic set up, understanding the generalized structure can help aid in defensive efforts.
This CSA explains the widespread shift in tactics, techniques, and procedures by malicious cyber actors away from using individually procured infrastructure to multiple externally managed large covert networks used by many actors simultaneously. It describes the typical makeup of a covert network and how it is used, and includes protective advice for organizations targeted by cyber activity using a covert network as an access vector. Additionally, the guidance outlines tailored steps organizations of all sizes can take to mitigate the risk of attacks.
Anyone who is a target of China-nexus threat actors may be impacted by the use of covert networks, and anyone using a vulnerable device could have their device co-opted into one of these China-nexus covert networks. Cybersecurity analysts and network defenders - including those protecting national security, Department of War, and Defense Industrial Base systems - are advised to use the protective advice and mitigations listed in this CSA to thwart malicious activities.
Additional Resources
• Read the full report.
• Visit our full library for more cybersecurity information and technical guidance.
About National Security Agency
Founded in 1952, NSA is a U.S. Department of War combat support agency and element of the U.S. Intelligence Community. The Agency's mission is to provide foreign signals intelligence to policy makers and our military, and to prevent and eradicate cybersecurity threats to U.S. national security systems, with a focus on the Defense Industrial Base and the improvement of U.S. weapons' security. From protecting U.S. warfighters around the world to enabling and supporting operations on land, in the air, at sea, in space, and in the cyber domain, NSA is committed to building public trust through transparency and protecting civil liberties and privacy consistent with our nation's values.
The CSA details how multiple China-nexus threat actors are now using external covert networks to facilitate malicious cyber activity strategically, at scale. These dynamic covert networks include botnets that leverage many compromised devices to connect across the internet in a low-cost, low-risk, deniable way, disguising the origin and attribution of malicious activity. These botnets frequently include compromised small office/home office network infrastructure (routers, firewalls, network attached storage, etc.) and internet of things devices (web cameras, video recorders, smart devices, etc.).
While many new covert infrastructure networks are regularly developed and deployed for use by multiple China-nexus threat actors, existing networks are also updated because of defensive or legal action, software updates, or new exploits being used to target different technologies, according to the CSA. This renders a detailed list of all known networks (how they are constructed and communicated) and previous defense paradigms ineffective. Legitimate users also browse the internet using the networks and devices involved, making attribution of the malicious activity challenging. However, since most networks of compromised infrastructure use the same basic set up, understanding the generalized structure can help aid in defensive efforts.
This CSA explains the widespread shift in tactics, techniques, and procedures by malicious cyber actors away from using individually procured infrastructure to multiple externally managed large covert networks used by many actors simultaneously. It describes the typical makeup of a covert network and how it is used, and includes protective advice for organizations targeted by cyber activity using a covert network as an access vector. Additionally, the guidance outlines tailored steps organizations of all sizes can take to mitigate the risk of attacks.
Anyone who is a target of China-nexus threat actors may be impacted by the use of covert networks, and anyone using a vulnerable device could have their device co-opted into one of these China-nexus covert networks. Cybersecurity analysts and network defenders - including those protecting national security, Department of War, and Defense Industrial Base systems - are advised to use the protective advice and mitigations listed in this CSA to thwart malicious activities.
Additional Resources
• Read the full report.
• Visit our full library for more cybersecurity information and technical guidance.
NSA Media Relations | [email protected] | 443-634-0721
About National Security Agency
Founded in 1952, NSA is a U.S. Department of War combat support agency and element of the U.S. Intelligence Community. The Agency's mission is to provide foreign signals intelligence to policy makers and our military, and to prevent and eradicate cybersecurity threats to U.S. national security systems, with a focus on the Defense Industrial Base and the improvement of U.S. weapons' security. From protecting U.S. warfighters around the world to enabling and supporting operations on land, in the air, at sea, in space, and in the cyber domain, NSA is committed to building public trust through transparency and protecting civil liberties and privacy consistent with our nation's values.
NSA/CSS - National Security Agency - Central Security Service published this content on April 23, 2026, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on April 23, 2026 at 15:14 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]