The New Normal: Compromised Edge Devices as Covert Infrastructure

For years, cybersecurity professionals have focused on protecting endpoints—servers, workstations, and mobile devices. But a new advisory from the UK’s National Cyber Security Centre (NCSC), co-sealed with allies including the US CISA and the Australian Signals Directorate, signals a strategic shift in how state-sponsored Chinese actors operate. Instead of building their own command-and-control servers or renting bulletproof hosting, these groups are increasingly weaving their malicious infrastructure directly into compromised routers, firewalls, and VPN gateways.

This is not a theoretical threat. The advisory details how China-nexus groups—often tracked as APT5, APT31, APT40, and others—have been observed pivoting to what the NCSC calls “covert networks of compromised devices.” These are not your typical botnets used for DDoS or spam. They are stealthy, low-and-slow operations designed to blend in with legitimate traffic, making detection extraordinarily difficult.

The guidance, published on March 25, 2025, is the result of a joint intelligence effort involving the Five Eyes intelligence alliance plus Japan. It provides technical indicators, mitigation strategies, and a clear warning: if you operate edge devices, you are in the crosshairs.

Why Edge Devices? The Attacker’s Calculus

Traditional command-and-control (C2) infrastructure has a well-known weakness: it can be sinkholed, blocked, or taken down by law enforcement. Nation-state actors have long sought more resilient methods. The answer lies in the very devices that sit at the network perimeter.

Routers, firewalls, and VPN concentrators are uniquely valuable to attackers for several reasons:

  • Persistence: Once compromised, these devices often run for months or years without a reboot or firmware update. An attacker can maintain access long after a typical endpoint breach would be detected.
  • Visibility: Edge devices see all traffic entering and leaving a network. An attacker can monitor, intercept, or redirect data at will.
  • Blending In: Malicious traffic originating from a trusted internal device is far less likely to raise alarms than traffic from an external IP.
  • Hard to Patch: Many organizations treat edge devices as “set and forget,” rarely applying firmware updates. Known vulnerabilities in routers and firewalls are a primary entry vector.

The NCSC advisory specifically calls out the exploitation of unpatched vulnerabilities in products from Cisco, Fortinet, Juniper, and other major vendors. In many cases, the attackers leveraged zero-days or n-days that had been publicly disclosed but not yet patched by victims.

Technical Details: How the Covert Networks Operate

The advisory provides a technical breakdown of the attack chain. It typically begins with a brute-force attack or credential theft against an edge device’s management interface. Once inside, the attackers deploy a custom implant—often a modified version of open-source tools like Chisel or FRP (Fast Reverse Proxy)—to establish a persistent tunnel.

This tunnel is then used to exfiltrate data, deploy additional payloads, or pivot to internal networks. The beauty of this approach from the attacker’s perspective is that the tunnel blends in with normal encrypted traffic. To an IDS/IPS, it looks like a legitimate VPN connection.

The advisory also highlights the use of “living off the land” techniques. Instead of dropping a large binary, attackers use built-in tools like Python, Perl, or even shell scripts already present on the device. This reduces forensic artifacts and makes detection far harder.

One particularly insidious tactic involves leveraging the device’s own logging capabilities. Attackers have been observed modifying syslog configurations to send copies of sensitive traffic to an external server, all while the device continues to function normally for its legitimate users.

The Human Factor: Why This Matters for Windows Administrators

If you are a Windows administrator, you might be thinking: “My endpoints are secure, my servers are patched. This doesn’t apply to me.” Think again. The NCSC advisory makes clear that these compromised edge devices are used as launching pads for attacks against Windows networks.

Once an attacker has a foothold on a router or firewall, they can:
- Intercept Windows authentication traffic: Capture NTLM hashes or Kerberos tickets as they traverse the network.
- Deploy ransomware or wipers: Use the trusted device to push malicious payloads to Windows endpoints.
- Pivot to Active Directory: Compromise a domain controller by routing attacks through the already-compromised edge device.

In other words, the security of your Windows environment is only as strong as the weakest edge device on your perimeter. A single unpatched router can undo months of endpoint hardening.

Mitigation: Practical Steps You Can Take Today

The advisory is not all doom and gloom. It provides a clear set of actionable recommendations. Here are the most critical, with a focus on Windows-centric environments:

1. Harden Edge Devices

  • Disable unused services: If a router doesn’t need SNMP or Telnet, turn them off.
  • Change default credentials: This is still the number one entry vector.
  • Enforce multi-factor authentication (MFA) for all administrative access to edge devices. Yes, even on the console.

2. Patch Relentlessly

  • Subscribe to vendor security alerts for your specific router, firewall, and VPN models.
  • Establish a patching cadence for firmware updates. Treat them with the same urgency as Windows Patch Tuesday.
  • Inventory all edge devices: You cannot patch what you don’t know exists.

3. Monitor for Signs of Compromise

The advisory provides specific indicators of compromise (IoCs) including:
- Unexpected outbound connections from edge devices to known malicious IPs.
- Modified configuration files, especially those related to logging or routing.
- Unusual user accounts or SSH keys added to the device.
- Unexpected spikes in traffic through a single device.

For Windows shops, integrate edge device logs into your existing SIEM (e.g., Microsoft Sentinel). Correlate anomalous edge traffic with Windows event logs to spot lateral movement early.

4. Segment Your Network

  • Place edge devices in a separate VLAN with strict firewall rules.
  • Restrict management access to only authorized jump boxes or admin workstations.
  • Use network access control (NAC) to prevent rogue devices from connecting.

The Bigger Picture: A Coordinated State-Sponsored Campaign

This advisory is not an isolated warning. It is part of a broader pattern of Chinese state-sponsored cyber activity that has escalated over the past 18 months. In February 2025, Microsoft disclosed that a China-linked group had compromised a critical number of internet-facing systems using a vulnerability in a popular VPN appliance. The NCSC advisory appears to be a direct response to that and similar incidents.

The Five Eyes intelligence community is clearly concerned enough to issue a joint public advisory—a move that is rare and signals high confidence in the intelligence. The advisory explicitly names the Chinese Ministry of State Security (MSS) as the orchestrator, though it stops short of attributing specific incidents.

For organizations that operate in sectors like defense, energy, telecommunications, or critical infrastructure, this is a call to action. But even small and medium businesses should take note: if your edge devices are compromised, you become a stepping stone for attacks on larger targets.

Conclusion: A New Frontier in Defensive Cyber Operations

The NCSC’s warning about China-nexus covert networks of compromised devices marks a turning point. The battlefield has shifted from endpoints to the network edge. As defenders, we must adapt.

Start by auditing every router, firewall, and VPN device in your environment. Question whether each one is necessary, properly configured, and fully patched. Implement the mitigations listed above. And above all, recognize that the security of your Windows environment is inextricably linked to the security of your network infrastructure.

The attackers are already inside these devices. It’s time to flush them out.