For years, advanced threat groups have followed a pretty basic rule of operational security: don't attack from infrastructure that can be easily traced back to you.
That part isn't new.
Nation-state actors have long relied on proxy infrastructure, rented servers, compromised websites, bulletproof hosting providers, and hijacked systems to create distance between themselves and their operations. If you're running espionage campaigns or targeting critical infrastructure, you're obviously not going to attack directly from something that points back to your own network.
That's why some of the recent headlines around China-linked cyber operations need a little more nuance.
The real story isn't that these actors suddenly discovered how to hide their tracks. The real story is that the modern internet has made hiding dramatically easier.
There are now billions of internet-connected devices online, and a huge percentage of them were never designed with long-term security in mind. Home routers, office routers, IP cameras, smart devices, NAS appliances, firewalls, DVR systems, and countless other edge devices often remain exposed for years with outdated firmware, weak credentials, and little to no monitoring. Many are end-of-life products that no longer receive security updates at all.
That creates an enormous pool of infrastructure that attackers can quietly hijack and repurpose.
And according to a recent joint advisory from the UK's National Cyber Security Centre alongside partners including the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and National Security Agency, China-linked threat actors are increasingly doing exactly that. The advisory says these actors are moving away from individually procured infrastructure and increasingly relying on large-scale networks of compromised devices to route operations. These networks are constantly refreshed, often shared across multiple actors, and increasingly difficult for defenders to track.
That distinction matters.
This isn't a story about attackers becoming stealthier overnight. It's a story about an internet that has become incredibly convenient for attackers to weaponize.
The internet accidentally built the perfect hiding place
The explosion of connected devices created enormous convenience for consumers and businesses. It also created one of the largest unmanaged attack surfaces in history.
A home router might sit untouched for five years. A small business firewall may never receive a firmware update. An internet-connected security camera might still be running default credentials. A NAS appliance could be directly exposed to the internet without anyone realizing it.
Individually, these issues might seem small. At global scale, they become incredibly useful infrastructure for threat actors.
Instead of buying servers or spinning up cloud environments that defenders can eventually identify, attackers can simply compromise thousands of poorly maintained devices across multiple countries and use them as relay infrastructure.
This makes attribution far more difficult because investigators may only see malicious traffic coming from what appears to be an ordinary residential router or small business appliance. That traffic often looks far less suspicious than activity originating from known malicious infrastructure.
Why China-linked actors are getting attention
The recent advisory focuses heavily on China-linked operations because agencies believe these actors are using compromised infrastructure at significant scale.
One of the most widely discussed examples was Volt Typhoon, which used compromised infrastructure while targeting critical sectors including communications, transportation, energy, and water systems. What made that campaign especially concerning was that it appeared focused on maintaining long-term access to critical infrastructure rather than immediate disruption.
Another example was Flax Typhoon, which used similar infrastructure for espionage operations.
Then there was Raptor Train, a botnet that reportedly infected more than 200,000 devices globally. Investigators said the infrastructure included routers, cameras, video recorders, and network-attached storage devices. The scale alone showed how much available infrastructure exists for attackers willing to exploit vulnerable devices.
These examples are getting attention because they show how operationally mature these networks have become.
This no longer looks like random opportunistic botnet activity. It looks structured. It looks maintained. And in some cases, it appears deeply integrated into broader intelligence operations.
Why defenders are struggling
For years, many security teams relied heavily on identifying malicious IP addresses and blocking them.
That model is becoming far less effective.
If attackers are rotating through thousands of compromised devices, static blocklists lose value quickly. An IP blocked today may disappear tomorrow and be replaced by dozens of new nodes.
The NCSC referenced what security researchers have called "indicator of compromise extinction," where traditional indicators become outdated almost immediately because attacker infrastructure changes too quickly.
That creates a major challenge for defenders because the signals they relied on for years are becoming less reliable.
The question is no longer simply "what IP should we block?" The better question is "why are we trusting this connection in the first place?" That's a much harder problem.
FIRESTARTER shows the problem doesn't stop at initial access
The recent CISA report on FIRESTARTER adds another important layer to this discussion.
The report highlighted malware designed to help attackers maintain persistence after compromise. According to CISA, detecting FIRESTARTER often requires memory analysis, which suggests defenders may be dealing with malware specifically designed to avoid traditional detection methods.
That matters because compromised infrastructure is only part of the challenge. Attackers are getting better at hiding before compromise through distributed infrastructure. They're also improving their ability to remain hidden after compromise. That combination creates a much more difficult environment for defenders.
What organizations need to do differently
The answer isn't panic. And it definitely isn't trying to block every suspicious IP on the internet.
Organizations need stronger visibility into their own environments. They need a clear understanding of which systems are internet-facing and why. They need stronger authentication controls for remote access. They need better logging. They need behavioral monitoring that helps identify unusual connections rather than relying exclusively on known bad indicators. They need fewer exposed systems.
And they need to stop treating edge devices as low-priority assets.
Many organizations still spend heavily securing cloud workloads while ignoring outdated appliances quietly sitting at the edge of their networks. Attackers know this. That's why these devices keep showing up in major investigations.
The bigger problem
The bigger issue here extends well beyond China-linked operations.
Once attackers realize that compromised infrastructure is cheap, scalable, and difficult to attribute, other groups will continue using the same model. And why wouldn't they? The internet has given them millions of poorly secured devices that can be turned into operational infrastructure.
This is what happens when connectivity grows faster than security maturity.
And unless organizations start taking edge security far more seriously, these covert networks will only continue getting bigger.
The tactic itself isn't new. The scale absolutely is.
Sources: - CISA Advisory AA26-113A - CISA Analysis Report AR26-113A — FIRESTARTER