For years, one of the most reliable tools in network defense has been the IP blocklist — a list of known malicious addresses that get flagged or blocked before they can do damage. If an attack comes from a suspicious address, you block it. If a threat actor's infrastructure gets identified, you add it to the list.
China-linked threat actors have found a way to make that defense largely obsolete. And on May 1, 2026, intelligence agencies from 15 countries said so publicly.
The joint advisory, published by the UK's National Cyber Security Centre and co-signed by agencies including the NSA, FBI, CISA, and Spain's National Cryptologic Centre, describes a deliberate and systematic shift in how sophisticated state-sponsored attackers operate.
Rather than maintaining dedicated servers — infrastructure that can be identified, traced, and blocked — China-nexus threat actors have built what the advisory calls "covert networks" out of compromised everyday devices. Home routers. Office network storage drives. Smart cameras. Internet-connected devices that sit in homes and businesses around the world, running quietly in the background, unmonitored and rarely updated.
These devices aren't being used to spy on their owners. They're being conscripted into a global relay network. When an attacker routes traffic through a compromised router in a residential neighborhood in Madrid or a small office in Bangkok, that attack looks, to every defensive system downstream, like ordinary internet traffic from an ordinary location. One confirmed network of this kind — called Raptor Train, linked to a Chinese company called Integrity Technology Group — infected over 200,000 devices worldwide.
The practical consequence is significant: if an attack can originate from any of hundreds of thousands of legitimate-looking IP addresses scattered globally, a blocklist based on known bad addresses provides only limited protection. The address was never bad before. It belongs to someone's router. It's not on any list.
The shift the advisory describes isn't just a new attack technique. It represents a change in the underlying logic of how these operations work.
Previously, tracing a cyberattack — even a sophisticated one — often eventually led back to identifiable infrastructure. That traceability created a form of accountability, however imperfect. Attribution was slow and difficult, but possible. Diplomatic and policy responses, sanctions, and public attribution depended on it.
Covert networks are designed to remove that accountability. When an attack is routed through a compromised home router in a neutral country, attribution becomes genuinely difficult. Defenders are left trying to determine whether the attack came from a nation-state, a criminal group, or something else entirely — using an address that has no prior history of malicious activity.
For organizations in government and defense, this matters for a reason that goes beyond the technical: the threat calculus has changed. Attacks that were once detectable by where they came from can no longer be reliably detected that way.
The advisory is explicit in its recommendations, and they're worth taking seriously precisely because of the breadth of agencies that signed on to them.
The core shift it calls for is moving away from perimeter-based defense — the assumption that the threat is outside and must be kept out — toward a zero trust architecture. Zero trust operates on the assumption that any connection, whether it comes from inside or outside the network, must be verified before being trusted. It doesn't matter what IP address a request comes from. Access is determined by identity, device health, and behavioral signals — not origin.
Specifically, the advisory recommends network segmentation, which limits how far an attacker can move through a system even if they gain initial access. It recommends enhanced logging and monitoring to detect unusual behavior patterns rather than relying solely on known-bad indicators. And it recommends treating all internet-facing infrastructure as potentially exposed — because in an era of covert relay networks, it is.
For organizations managing sensitive communications or critical national infrastructure, the advisory also flags the specific vulnerability of SOHO (small office/home office) devices — routers and network equipment that are frequently unpatched, default-configured, and connected directly to the internet. These are the devices being conscripted. If your organization's staff work remotely, this isn't an abstract concern.
It's worth noting who signed this advisory. Spain's CCN — the National Cryptologic Centre — is one of the co-signatories. So are Germany's federal cybersecurity agency, Japan's NISC, and intelligence bodies from across the EU, the Pacific, and North America. Joint advisories of this breadth are not routine. They represent a considered decision by multiple governments that the threat is significant enough to warrant coordinated public disclosure.
That decision, in itself, tells you something about how seriously these agencies view the shift they're describing.
The full advisory, including detailed technical indicators and mitigation guidance, is available directly from the NCSC. For organizations in government, defense, or critical infrastructure, it warrants a direct read — not just a summary.
This is the second post in a three-part series. Read the introduction here.