Just a month after the FCC banned certain foreign consumer-grade routers that lack special permissions, security agencies are sounding the alarm. The Cybersecurity and Infrastructure Security Agency (CISA), alongside the UK’s National Cyber Security Centre (NCSC-UK) and other global organizations, has issued warnings regarding the rising threat of China-nexus covert networks. Compromised home routers have officially become the latest cybersecurity bugbear for global infrastructure.
The evolution of cyber attack tactics
According to CISA, there has been a significant shift in the tactics, techniques, and procedures (TTPs) employed by these actors. Rather than relying on individually procured infrastructure, attackers are moving toward using externally provisioned, large-scale networks of compromised devices.
These China-nexus covert networks are used across every phase of the "Cyber Kill Chain." This includes performing reconnaissance scans, delivering malware, maintaining communication with infected hosts, and exfiltrating stolen data from victims. By exploiting vulnerable hardware, attackers can sit within these devices, using them as small but vital nodes in their broader infrastructure.
Identifying the targets within your network
While SOHO (Small Office/Home Office) routers are the primary target, attackers will exploit any vulnerable device they can scale. The CISA report highlights that these networks often consist of:
- SOHO routers
- Webcams
- Firewalls
- NAS (Network Attached Storage) devices
The risk increases significantly when these devices reach end-of-life (EOL) status and no longer receive essential security updates. Because these networks can involve hundreds of thousands of endpoints, traditional defense methods like static malicious IP block lists are becoming increasingly ineffective. CISA notes that a detailed description of all known covert networks would be out of date almost immediately upon publication.
Why hardware bans aren't enough
The US Federal Communications Commission (FCC) recently added all consumer-grade routers produced in foreign countries to the "Covered List," meaning they now require special permission to be sold in the US. However, this does not address the risk posed by compromised routers already operating in homes and offices.
Firmware security company Eclypsium suggests that while the message is clear—the SOHO router supply chain is a meaningful risk to U.S. critical infrastructure—a ban only addresses part of the problem. "A router ban can reduce some risk at the edges. It does not fundamentally change the attacker playbook," the company stated.
The real challenge lies in a lack of device integrity visibility. Eclypsium argues that device trust should be continuously re-established through repeated security validation across a device's entire lifespan, rather than simply assumed.
Essential security recommendations
To combat these evolving threats, CISA recommends that high-risk organizations engage in "active hunting" to sniff out IP addresses likely to be part of a covert network. For organizations with lower risk profiles, the agency suggests implementing zero-trust connection policies and using IP address allow lists rather than deny lists for remote work.
For all users, the following best practices remain essential:
- Implement multi-factor authentication (MFA) on all accessible accounts.
- Understand and monitor the connections occurring within your network.
- Ensure all software and firmware are kept up to date.
- Retire any devices that are no longer receiving security patches.
For home users, ensuring your hardware is modern and actively receiving updates remains the most effective way to stay protected from these growing China-nexus covert networks.
