Chinese Hackers Using Compromised Networks to Spy on Western Companies, Says Five Eyes

The emergence of large‑scale botnets built from everyday IoT devices marks a strategic evolution in Chinese cyber‑espionage. By compromising low‑cost hardware that often lacks regular firmware updates, groups like Volt Typhoon and Flax Typhoon can assemble hundreds of thousands of footholds worldwide. These networks serve as flexible staging grounds, allowing attackers to pivot between reconnaissance, malware delivery, command‑and‑control and data exfiltration without exposing their true origin. The Five Eyes advisory highlights that such infrastructure can remain undetected for years, as seen with Volt Typhoon’s five‑year presence in U.S. critical systems.

For Western enterprises, the reliance on static IP blocklists and perimeter‑only security models is increasingly ineffective. The covert nature of these botnets means a compromised device in one country can be used to breach a target in another, rendering geographic filtering obsolete. Moreover, the rapid reconfiguration of infected endpoints thwarts traditional indicators of compromise, forcing security teams to adopt more dynamic threat‑intel feeds and behavior‑based analytics. Companies that fail to map their own internet‑connected assets risk blind spots that adversaries can exploit.

In response, the NCSC and allied agencies recommend a multi‑layered approach: inventory and segment all IoT and VPN endpoints, enforce multifactor authentication for remote access, and deploy adaptive, intelligence‑driven monitoring that can flag anomalous traffic patterns. Threat‑intelligence sharing across the Five Eyes network provides up‑to‑date indicators and dynamic blocklists, helping organizations stay ahead of shifting attack vectors. As geopolitical tensions intensify, robust cyber hygiene will be essential to protect critical infrastructure and intellectual property from these sophisticated, stealthy campaigns.