CISA, National Cyber Security Centre (NCSC) UK, and Global Partners Issue Advisory on Chinese Government-Linked Covert Cyber Networks

PRESS RELEASE CISA, National Cyber Security Centre (NCSC) UK, and Global Partners Issue Advisory on Chinese Government-Linked Covert Cyber Networks New advisory offers strategic guidance to combat threats to vulnerable devices ReleasedApril 23, 2026 RELATED TOPICS: CYBERSECURITY BEST PRACTICES, CYBER THREATS AND RESPONSE, NATION-STATE THREATS WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC-UK), together with federal and international partners, have released a new cybersecurity advisory titled “Defending Against China-Nexus Covert Networks of Compromised Devices.” This advisory equips network defenders with vital tools and resources to combat the threat posed by Chinese government-linked threat actors’ use of covert networks of compromised devices.    “Working closely with U.S. and international partners, CISA continues to identify and warn organizations of Chinese state-sponsored cyber actors threatening critical infrastructure. This advisory informs organizations of how these actors are strategically using numerous, evolving covert networks at scale for malicious cyber activity,” said CISA Acting Director Nick Andersen. “CISA strongly encourages organizations to review and implement appropriate mitigation measures to defend their devices from this threat. Every day, CISA works to empower organizations with actionable information to strengthen their security and resilience against cyber threats.”  The advisory explains how attackers create hidden networks by taking advantage of weak devices, like those used at home or in small offices, as well as Internet of Things (IoT) gadgets. It also describes how groups such as Volt Typhoon and Flax Typhoon use large groups of hijacked devices, called botnets, to hide who they are and carry out spying, break-ins, controlling devices, and stealing data.  Cyber defenders are provided with comprehensive guidance to identify, baseline, and mitigate activity from dynamic and deniable covert networks, aimed at reducing the risk of organizational compromise.  To strengthen defenses, CISA and partners advise organizations to:  Map and understand network edge devices, developing a clear understanding of organizational assets and what should be connected to them. Baseline normal connections, especially to corporate VPNs or other similar services. Maintain log collection and storage solutions to assist with detecting and responding to unauthorized access attempts. Implement multifactor authentication for remote connections. Visit CISA’s China Threat Overview and Advisories page for details on Chinese government-linked threat actors. For edge device security resources, see CISA’s Edge Device Security page.  This advisory is co-sealed by Federal Bureau of Investigation, National Security Agency, Department of Defense Cyber Crime Center and agencies from Australia, Canada, Germany, Netherlands, New Zealand, Japan, Spain, and Sweden.   ### About CISA  As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to manage, uncover, and reduce risk to our digital and physical infrastructure Americans rely on every hour of every day.  Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.  Related Articles APR 20, 2022 PRESS RELEASE CISA, FBI, NSA, and International Partners Issue Advisory on Demonstrated Threats and Capabilities of Russian State-Sponsored and Cyber Criminal Actors MAR 24, 2022 PRESS RELEASE CISA, FBI and DOE Publish Advisory With Historical Cyber Activity Used by Indicted Russian State-Sponsored Actors FEB 16, 2022 PRESS RELEASE New Cybersecurity Advisory on Protecting Cleared Defense Contractor Networks Against Years-Long Activity by Russian State-Sponsored Actors FEB 11, 2026 PRESS RELEASE CISA’s 2025 Year in Review: Driving Security and Resilience Across Critical Infrastructure