27 April 2026 Nation-State Threats

China-Nexus Covert Networks Are Targeting Australian Critical Infrastructure — What Businesses Must Do Now

On 23 April 2026, a coalition of 16 intelligence agencies — including Australia's own ASD/ACSC — released a joint advisory warning that China-linked threat actors are building vast covert networks from compromised everyday devices, including the SOHO routers sitting in Australian homes and small businesses. This is not a theoretical risk: the advisory explicitly states that Australian critical infrastructure is assessed to be vulnerable. Here is what the advisory says and what you should do about it.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

A Sixteen-Agency Warning: The Joint Intelligence Picture

On 23 April 2026, the UK's National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the FBI, and Australia's own ASD's Australian Cyber Security Centre (ACSC) published a joint advisory titled "Defending Against China-Nexus Covert Networks of Compromised Devices." Eleven additional agencies from Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden co-signed the document — sixteen signatories in total — making it one of the most broadly coordinated public threat disclosures in recent years.

The central finding is a significant tactical shift. China-linked threat actors have moved away from using individually procured attack infrastructure — dedicated servers they rented or owned — towards building vast networks of compromised everyday devices. These are not purpose-built hacking machines. They are your home router, your IP camera, your network-attached storage unit, and your small-business firewall: devices already sitting inside networks, already connecting to the internet, and largely unmonitored.

The advisory, jointly published by CISA as advisory AA26-113A and co-published on the NCSC-UK, NSA, FBI, and ASD/ACSC websites, is accompanied by a technical annex covering detection and mitigation guidance in detail. Three threat actor groups are named directly. Volt Typhoon, the most publicly discussed China-nexus actor, uses a covert proxy infrastructure called the KV Botnet, which is primarily built from compromised Cisco and Netgear SOHO routers. The advisory confirms that Volt Typhoon has used these networks to pre-position offensive capabilities inside critical national infrastructure in multiple countries — not merely to spy, but to be ready to act on short notice.

Flax Typhoon operated the Raptor Train botnet, which at its peak infected more than 260,000 devices worldwide. The FBI attributes Raptor Train to Integrity Technology Group, a Chinese company assessed by the US government to be acting on behalf of the People's Republic of China. Raptor Train targeted more than 70 different device vulnerabilities between 2019 and 2024 before being partially disrupted by the FBI in late 2024. The advisory makes clear the underlying campaign continues under evolved infrastructure.

A third category, labelled ORB (Operational Relay Box) networks in threat intelligence parlance, refers to the infrastructure-for-hire model where China-nexus actors lease access to compromised device pools rather than maintaining their own. This approach is low-cost, scales rapidly, and — critically — makes attribution significantly harder, because each connection to a target originates from a seemingly ordinary household or small-business device somewhere in the world.

What This Means for Australia Specifically

The advisory's co-signature by ASD's ACSC is not ceremonial. The document contains a specific threat assessment: ASD's ACSC and New Zealand's NCSC-NZ assess that Australian and New Zealand critical infrastructure, respectively, could be vulnerable to similar activity from PRC state-sponsored actors. That is an official attribution of risk to Australian systems, in a published advisory, from Australia's peak cyber intelligence body.

The framing matters. Volt Typhoon's documented pattern is not financially motivated ransomware. It is nation-state pre-positioning: gaining persistent access to energy, water, telecommunications, and transport networks so those networks can be disrupted or degraded during a future geopolitical crisis. Australia's geographical location, its military alliance under ANZUS, and its Five Eyes membership make it a logical strategic target. Pre-positioning attacks are designed to be invisible until activated — you may not know a network has been compromised until the moment that access is used offensively.

Salt Typhoon, a related but distinct China-nexus actor focused on telecommunications, has separately targeted major telcos across multiple Five Eyes countries. ACSC has previously issued specific guidance to Australian telecommunications providers on mitigating Salt Typhoon intrusion techniques, underscoring that PRC-linked targeting of Australia's digital infrastructure is an ongoing, multi-front campaign rather than a one-off advisory event.

But the risk does not stop at the perimeter of critical infrastructure operators. Australian SMBs and households are relevant for two reasons. First, their devices may already be enrolled in these covert networks without their knowledge. A compromised SOHO router in a small accountancy firm's office can serve as a proxy node, relaying attack traffic towards other targets — and the business owner has no visibility into this activity. Second, if those same devices are used for remote-work connections, they create an exposed entry point into whatever corporate or home network they bridge.

End-of-life devices are a central enabler. The advisory highlights that many compromised devices are no longer receiving manufacturer security updates — a common reality in Australian homes and small offices, where routers often run for five to ten years without replacement. The Australian Competition and Consumer Commission (ACCC) has flagged smart device security as an ongoing consumer protection concern, and ACSC's own Essential Eight guidance recommends patching operating systems to a defined standard. Many Australians are simply not applying this discipline to their home networking gear.

Inside the Kill Chain: How Raptor Train and the KV Botnet Actually Work

Understanding how these covert networks function matters because it determines which defences are effective and which are largely cosmetic.

Building the botnet

Initial compromise of devices typically exploits one of three vectors: known vulnerabilities in device firmware, default or weak credentials that have never been changed, or exploitation of management interfaces exposed to the open internet. Raptor Train's operators catalogued more than 70 device vulnerabilities across different manufacturers, covering SOHO routers, IP cameras, video recorders, firewalls, and NAS devices. Devices targeted include those from Cisco, Netgear, ASUS, Hikvision, and D-Link — common brands in Australian homes and small offices. Once compromised, a lightweight implant is installed that connects back to the threat actor's command-and-control (C2) infrastructure. The device then acts as a proxy node: traffic originating from the threat actor in China is forwarded through the compromised device, making the apparent source a residential or small-business IP address in the target country.

How the network is used across the kill chain

The advisory documents usage across the full attack lifecycle. During reconnaissance, covert network nodes perform scanning of target networks, blending in with normal internet traffic because they originate from legitimate domestic IP addresses. During initial access attempts, the nodes relay phishing content, brute-force credentials, or exploit public-facing services. During post-compromise operations, they provide resilient C2 channels and support data exfiltration. At every stage, the apparent originating IP address is a compromised legitimate device — often in the same country as the target — which complicates both detection and legal attribution.

Why traditional defences struggle

The advisory specifically notes that "traditional IP blocklists are less effective against dynamic botnets with hundreds of thousands of endpoints." When Raptor Train at peak comprised over 260,000 compromised devices, each endpoint might appear in attack logs only briefly before rotating out. A defender maintaining a static block list would need to update it continuously in near-real-time — a requirement that exceeds the capability of most Australian SMBs and even many larger organisations. This is why the advisory recommends behavioural detection: looking for unusual patterns in edge-device traffic volumes, unexpected outbound connections to unfamiliar IP ranges, or remote-access sessions at unusual hours, rather than relying purely on known-bad indicator matching.

Attribution and the Integrity Technology Group

Raptor Train presents a useful case study in how China-nexus operations are structured for deniability. Integrity Technology Group, the entity the FBI assessed to be operating the botnet, is a commercial company registered in China. Its use of China Unicom Beijing Province network IP addresses for botnet remote control is documented in the advisory. The company publicly presents itself as a cybersecurity services provider — a model of state-adjacent commercial front companies that provides plausible deniability while enabling persistent state-sponsored operations. The KV Botnet linked to Volt Typhoon operates similarly: commercial-looking infrastructure layered over state-directed operational objectives.

Practical Steps for Australian Businesses and Households

The advisory lists specific mitigations. Not all of them apply equally to small businesses and households, but several are achievable without enterprise-level resources or a dedicated IT team.

Audit and replace end-of-life devices

The most impactful single action available to most Australian households and SMBs is identifying SOHO routers, IP cameras, NAS devices, and small-business firewalls that no longer receive firmware updates. Check the manufacturer's support page for your device model. If the product is listed as end-of-support, it should be replaced — not because it is obviously broken, but because it is silently vulnerable. Cisco, Netgear, ASUS, and TP-Link all publish end-of-support notices on their websites. The KV Botnet specifically targeted end-of-life Cisco and Netgear devices. If you are running hardware that is more than five years old, it warrants investigation.

Disable remote management interfaces

Many SOHO routers ship with remote management (WAN-side access to the admin panel) enabled by default. Unless you have a specific operational need for managing your router from outside your home or office, this interface should be disabled entirely. Management should only be accessible from the local network. Similarly, UPnP (Universal Plug and Play) services that automatically open ports on behalf of applications should be disabled where not required — UPnP has a long history of creating inadvertent exposure. Check these settings in your router's administration interface under WAN or remote access settings.

Enable multi-factor authentication everywhere

The advisory's most consistently repeated recommendation is MFA for all remote access. This includes VPN logins, cloud service access, email accounts, and any business system accessed from outside the office. For smaller teams, authenticator-app based MFA (such as TOTP codes) provides meaningful protection even without enterprise identity infrastructure. MFA does not prevent a compromised router from acting as a proxy node in a botnet, but it significantly raises the cost for any adversary who harvests credentials from a compromised device — they need the second factor as well.

Use a reputable, actively-maintained VPN for remote work

The advisory specifically calls out compromised VPN appliances as a primary attack vector in these covert networks. Many small businesses and remote workers rely on consumer-grade or embedded VPN functionality in their routers — precisely the class of devices being enrolled in these botnets. Using a dedicated, commercially-maintained VPN service with regular independent security audits and a verified no-logs policy moves your remote-work traffic off potentially compromised router infrastructure. NordVPN undergoes independent audits and provides both personal and team plans suited to Australian SMBs. Running a dedicated VPN client on your device, rather than relying on the router's own VPN firmware, means that even if the router is enrolled in a botnet, your application-layer VPN traffic remains encrypted and separate from the router's own connection management.

Baseline your network traffic and report incidents

For businesses with even modest IT oversight, enabling logging on the router and reviewing outbound connection patterns periodically can surface anomalous activity — unexpected connections to unfamiliar IP ranges, large data transfers at unusual hours, or sustained outbound traffic when the office is closed. ACSC provides threat intelligence feeds, including covert network infrastructure indicators, through its partnership programmes for qualifying organisations. If you believe a device may be part of a botnet, report the incident to ACSC via ReportCyber at cyber.gov.au — ACSC can provide guidance and, in significant cases, share indicators of compromise relevant to your environment.

Australia's Cyber Defence Posture and What Remains Undone

The April 2026 advisory is not the first time ACSC has warned about PRC-linked intrusions targeting Australia-adjacent infrastructure. In 2024, ACSC co-signed an advisory about Volt Typhoon's targeting of US critical infrastructure and explicitly noted comparable risk to Australian systems. The pattern across these advisories is one of escalating public disclosure — intelligence agencies choosing transparency over silence, partly to warn affected sectors and partly to publicly attribute activity that was previously handled through quiet diplomatic channels.

The Essential Eight — ACSC's baseline mitigation framework for Australian organisations — directly addresses several root causes exposed by these campaigns. Application control, operating system and application patching, restricting administrative privileges, and multi-factor authentication are all Essential Eight controls that, if properly implemented, would either prevent initial compromise of edge devices or limit the damage an attacker can do once inside. The challenge is adoption. ASD's 2024–25 Annual Cyber Threat Report found that many smaller Australian organisations had not progressed beyond the lowest maturity level for Essential Eight controls — a significant gap given that the threat actors described in this advisory actively target exactly that class of weakly-patched, poorly-managed infrastructure.

The advisory's framing of pre-positioning — building access now for potential use during a future crisis — deserves particular attention from Australian organisations in sectors the government classifies as critical infrastructure: energy, water, transport, communications, healthcare, and financial services. The ACSC advisory page includes sector-specific guidance for critical infrastructure operators alongside the general advisory. If your organisation falls under the Security of Critical Infrastructure Act 2018, reviewing that guidance and assessing your edge device inventory against the advisory's indicators is not optional — it is a regulatory obligation as well as a security one.

For the majority of Australian SMBs and individuals who do not operate critical infrastructure, the practical risk is more mundane but still real: your equipment may be unwittingly supporting a state-sponsored espionage campaign, and the eventual traffic analysis that surfaces this is unlikely to be comfortable. The steps outlined in the previous section — replacing end-of-life gear, disabling unnecessary remote access, enabling MFA, and using a trusted VPN for remote work — address the most common attack paths without requiring specialist security knowledge or significant expenditure.

The broader lesson from this advisory, and from the accumulated evidence about Typhoon-branded threat actors over the past two years, is that national security cyber threats are no longer confined to government agencies and large enterprises. The infrastructure of attacks is distributed across ordinary homes and businesses worldwide. Every unpatched router is a potential proxy node. Every unused remote management interface is a potential entry point. Treating home and small-business network security with the same attention given to antivirus software is no longer overcautious — it is proportionate to the documented threat environment that sixteen allied intelligence agencies have now jointly confirmed.