CISA, the UK's National Cyber Security Centre, and a coalition of international partners have issued a joint advisory describing how Chinese government-linked actors are building and using large networks of compromised routers, cameras, and other internet-connected devices to mask intrusions into critical infrastructure. The advisory frames these as "covert networks", essentially botnets repurposed for espionage rather than the more familiar denial-of-service or spam use cases.
The technique itself isn't new: routing traffic through compromised consumer and small-business devices makes it harder for defenders to trace an intrusion back to its actual origin, since the traffic appears to come from an ordinary home router in an unrelated country rather than a state-linked server. What's notable about this advisory is the scale and coordination described, and the explicit naming of the threat actors behind it by multiple governments simultaneously.
Directly, this targets critical infrastructure operators, government agencies, and large enterprises. Indirectly, it involves anyone whose router, camera, or smart device gets swept into one of these networks without their knowledge, which is where ordinary readers come in. A compromised home router doesn't just put its owner at risk, it becomes infrastructure for someone else's attack on a target the owner has never heard of.
Most readers can't act on the state-sponsored espionage angle directly, but the underlying weakness these networks depend on is entirely addressable at home: default or weak passwords on routers and IoT devices. Log into your router's admin panel, change the default password if you haven't already, and check whether its firmware is up to date. Do the same for any internet-connected camera or smart device you own. It won't stop a nation-state, but it takes your devices out of the pool of easy targets these networks are built from.
The advisories that matter, translated into plain English, every Friday.