NCSC warns of China-linked botnet attacks on UK targets

The National Cyber Security Centre has issued guidance warning that China-nexus cyber actors are conducting attacks against UK organisations using large-scale covert networks built from compromised routers and other edge devices.

The advisory, published on 23 April and co-sealed with international partner agencies, describes a shift away from individually procured attack infrastructure toward botnets assembled from compromised consumer and small office equipment. These networks are used across multiple phases of an attack lifecycle, from initial reconnaissance and malware delivery through to command and control and data exfiltration.

The NCSC describes the model as dynamic, low-cost, and deniable. Because the networks are constantly refreshed and nodes are shared across multiple threat groups, indicators of compromise disappear rapidly, a phenomenon the advisory terms “IOC extinction.”

Organisations relying solely on static IP block lists are therefore considered at heightened risk of being bypassed, as those defences become outdated almost as soon as they are applied.

The advisory has been developed by the NCSC and the Cyber League alongside co-sealing agencies and contains tiered guidance scaled to organisation size. All organisations are advised to map and baseline their edge device traffic, particularly VPN and remote access connections, and to adopt dynamic threat feed filtering that incorporates known covert network indicators. Two-factor authentication for remote access is also recommended, along with zero trust controls, IP allow lists, and machine certificate verification where feasible.

Larger or higher-risk organisations are encouraged to go further, considering active hunting of suspicious small office and home office or Internet of Things traffic, geographic profiling of connection patterns, and machine learning-based anomaly detection to identify unusual behaviour that static tools would miss.

The full advisory contains detailed technical guidance for cyber security professionals and is available via the NCSC website.