UK Government Warns Chinese Hackers Are Building Botnets from Hijacked Home Devices

UK Government Warns Chinese Hackers Are Building Botnets from Hijacked Home Devices

The UK's National Cyber Security Centre, coordinating with nine allied nations including the US, Australia, Canada, Germany, Japan, and others, issued a joint advisory warning that Chinese state-linked hackers are systematically hijacking home routers, IP cameras, video recorders, and network-attached storage devices to build large-scale proxy networks for cyber operations. The advisory names Flax Typhoon — linked to the sanctioned Integrity Technology Group — as a primary actor, and connects the infrastructure to the previously dismantled Raptor Train botnet of over 260,000 devices.

How the Infrastructure Works

Consumer devices — SOHO routers, home cameras, NAS units — are compromised and enrolled into proxy networks. When Chinese state hackers conduct operations against government, military, or critical infrastructure targets, they route their traffic through these compromised devices, making it appear to come from residential or small business IP addresses in target countries. This geographic obfuscation makes attribution harder and blocks IP-based detection systems that flag traffic from known data center addresses.

The NCSC estimates that Raptor Train — disrupted by the FBI in September 2024 — infected over 260,000 devices globally. Volt Typhoon was observed rebuilding its network by November 2024, suggesting these botnets are resilient to single disruption events.

What the Ten-Country Advisory Signals

A joint advisory coordinated across ten nations is not routine. It signals that allied intelligence services have reached a shared assessment and are choosing to publicize it — typically as a deterrence measure, a warning to defenders, or both. The explicit naming of Integrity Technology Group, a Chinese company sanctioned for its role in the Flax Typhoon operations, suggests the advisory is designed to apply reputational and economic pressure in addition to providing technical warnings.

What Home and Small Business Users Should Do

Update firmware on all home routers, IP cameras, and NAS devices. Devices running end-of-life firmware that no longer receives security updates — common in older consumer gear — are the primary targets. Replace end-of-life devices. Segment IoT devices onto a separate network from computers handling sensitive data. Disable remote management interfaces that are not actively used.

My Take

The consumer device botnet strategy is elegant from an attacker's perspective: it turns the global installed base of poorly-secured home devices into a distributed attack infrastructure that is nearly impossible to fully dismantle. The NCSC advisory is correct that this is a persistent threat, but the practical remediation — "update your router firmware" — is advice that the vast majority of affected users will never follow. ISPs and device manufacturers need to solve this at the infrastructure level, not rely on individual users to patch it.

Related Articles

Sources