China’s state-backed groups are now using covert networks of compromised devices to execute attacks in a low-cost, low-risk, and deniable way, according to a report from Dark Reading. The most counterintuitive thing about this story is that these groups are able to use compromised devices to launch attacks without being detected, making it a significant concern for cybersecurity experts.
Key Takeaways
- China’s state-backed groups are industrializing botnets to launch attacks.
- The use of compromised devices makes it difficult to detect and prevent attacks.
- The tactic allows for low-cost, low-risk, and deniable attacks.
- The report highlights the growing concern of botnet attacks.
- The industrialization of botnets makes it easier for state-backed groups to launch attacks.
China’s State-Backed Groups
China’s state-backed groups are using covert networks of compromised devices to execute attacks, according to the report. The use of compromised devices makes it difficult to detect and prevent attacks, as the devices are often unaware that they are being used to launch an attack. This tactic allows for low-cost, low-risk, and deniable attacks, making it a significant concern for cybersecurity experts. These operations are not isolated incidents but part of a broader trend of cyber-enabled influence and espionage campaigns. Groups like APT41 and APT10, both linked to China’s Ministry of State Security, have been observed deploying malware that turns consumer routers, IP cameras, and even smart home appliances into attack relays. These devices, often running outdated firmware and protected by default credentials, offer attackers persistent access with minimal overhead.
Implications of Botnet Attacks
Botnet attacks can have significant implications, including the theft of sensitive information and the disruption of critical infrastructure. The use of compromised devices to launch attacks makes it difficult to prevent and detect these attacks, making it a growing concern for cybersecurity experts. The report highlights the need for increased awareness and vigilance to prevent and detect botnet attacks. For example, in 2022, the FBI disrupted a botnet known as “8220,” which had infected over 400,000 devices globally and was used to conduct ransomware attacks and cryptocurrency mining. The infrastructure behind such botnets is often distributed across multiple jurisdictions, complicating law enforcement efforts. When used in coordinated distributed denial-of-service (DDoS) attacks, these botnets can overwhelm targeted servers with traffic volumes exceeding 1 terabit per second—enough to knock major websites offline. The blending of criminal and state interests further blurs accountability, as some botnets serve dual purposes: generating illicit revenue while also providing operational cover for espionage.
The Industrialization of Botnets
The industrialization of botnets makes it easier for state-backed groups to launch attacks, according to the report. The use of compromised devices to launch attacks allows for a high volume of attacks to be launched quickly and easily, making it a significant concern for cybersecurity experts. This industrialization means botnet deployment is no longer a bespoke operation requiring deep technical expertise. Instead, it’s increasingly standardized, with modular malware frameworks, automated infection scripts, and off-the-shelf command-and-control (C2) platforms. For instance, the Mirai malware family—first identified in 2016—has evolved into dozens of variants, many of which are openly shared in underground forums. Chinese-linked actors have adapted these tools to target specific sectors, including energy, finance, and telecommunications. In some cases, attackers use botnets not just for volume-based attacks, but as stealthy data exfiltration channels, routing stolen information through thousands of devices to mask origin points. This shift reflects a broader trend: cyber operations are becoming more scalable, repeatable, and resilient to takedowns.
Global Industry Response and Competitive Landscape
As China-linked groups scale their botnet operations, private sector firms and rival nation-states are responding with new detection and mitigation strategies. Companies like Cloudflare, Akamai, and Palo Alto Networks have developed real-time traffic analysis tools that identify anomalous behavior patterns consistent with botnet activity. Akamai, for example, reported blocking over 4,000 DDoS attacks per day in Q1 2023, many traced back to Asian-based botnet clusters. Their Prolexic platform uses behavioral fingerprinting to detect botnet traffic even when encryption is used. Meanwhile, Microsoft’s Digital Crimes Unit has taken legal action to dismantle botnet command servers, using court orders to seize domains used by malware networks. On the research side, academic institutions like Georgia Tech and the University of California, Berkeley are developing machine learning models that predict device vulnerability based on firmware signatures and update histories. Other nations are also adapting. The U.S. Cyber Command has increased its “defend forward” operations, disrupting botnet infrastructure in foreign networks before attacks reach domestic targets. In contrast, Russia and North Korea rely more on custom malware and fewer IoT-based botnets, favoring targeted intrusions over broad, automated networks. This divergence highlights a strategic choice: China appears to prioritize scale and persistence, while others focus on precision and stealth.
Technical and Policy Dimensions
The technical design of modern botnets reflects a shift toward resilience and evasion. Many now use domain generation algorithms (DGAs) to create thousands of potential C2 server addresses daily, making blacklisting ineffective. Others employ peer-to-peer (P2P) communication, eliminating centralized control points that could be taken down. Some Chinese-linked botnets have even integrated fast-flux DNS techniques, rotating IP addresses rapidly across compromised cloud instances to obscure their location. On the policy side, regulatory gaps remain a major obstacle. The U.S. lacks comprehensive federal standards for IoT security, though the 2020 IoT Cybersecurity Improvement Act requires baseline security for devices purchased by federal agencies. The European Union’s Cyber Resilience Act, expected to take full effect by 2027, mandates stricter software security requirements, including patching obligations and vulnerability disclosure processes. However, enforcement remains uneven. Industry-led initiatives like the Open Source Security Foundation (OpenSSF) and the NTIA’s Software Transparency effort aim to improve device firmware integrity, but adoption is voluntary. Without binding international norms, botnet infrastructure will continue to thrive in jurisdictions with weak enforcement. The lack of global cooperation also hampers attribution; even when traffic is traced to Chinese IP blocks, the presence of compromised devices means attackers can operate with plausible deniability.
Prevention and Detection
To prevent and detect botnet attacks, cybersecurity experts recommend increased awareness and vigilance. This includes monitoring network traffic for suspicious activity and implementing security measures to prevent compromised devices from being used to launch attacks. The report highlights the need for a proactive approach to prevent and detect botnet attacks. Organizations should deploy network segmentation to isolate IoT devices, apply firmware updates regularly, and use intrusion detection systems (IDS) capable of identifying command-and-control traffic. Tools like Zeek (formerly Bro) and Suricata can log and analyze network behavior, flagging anomalies such as repeated failed login attempts or unusual outbound connections. Endpoint detection and response (EDR) platforms, such as CrowdStrike and SentinelOne, now include capabilities to detect lateral movement and botnet beaconing within internal networks. For developers, secure coding practices and software bill of materials (SBOMs) can reduce vulnerabilities in device firmware. The National Institute of Standards and Technology (NIST) offers guidelines under its Cybersecurity Framework, particularly in the “Identify” and “Detect” functions, which help organizations assess device risk and monitor for threats in real time.
What This Means For You
The industrialization of botnets by China’s state-backed groups has significant implications for developers and builders. It’s concerning that these groups are able to use compromised devices to launch attacks without being detected, making it a significant concern for cybersecurity experts. To prevent and detect botnet attacks, developers and builders must be aware of the risks and take proactive measures to prevent and detect these attacks. The use of compromised devices to launch attacks makes it difficult to detect and prevent attacks, but there are steps that can be taken to mitigate the risk. Developers and builders can implement security measures to prevent compromised devices from being used to launch attacks, and monitor network traffic for suspicious activity. By taking a proactive approach to prevent and detect botnet attacks, developers and builders can help to mitigate the risk of these attacks. This includes designing devices with secure boot, encrypted storage, and remote attestation features. It also means participating in threat intelligence sharing programs like the Cyber Threat Alliance or CISA’s Automated Indicator Sharing (AIS) system, which can provide early warnings of emerging botnet campaigns.
Why It Matters Now
This trend matters more than ever because the attack surface is expanding rapidly. The number of internet-connected devices is projected to surpass 29 billion by 2030, up from 16 billion in 2022, according to Statista. Each new device is a potential node in a future botnet. As smart cities, industrial control systems, and 5G networks come online, the stakes grow higher. A botnet capable of targeting traffic signals or power grid sensors could cause physical disruption, not just data loss. The convergence of cyber and physical infrastructure means that what once seemed like a nuisance—compromised webcams or routers—could now pose national security risks. At the same time, geopolitical tensions are rising. Cyber operations offer a way for states to exert pressure without crossing the threshold of open conflict. By using botnets as deniable tools, China and others can test defenses, probe critical systems, and create chaos without formal attribution. For businesses and governments, this means cybersecurity is no longer just an IT issue—it’s a strategic imperative. The window to secure the next generation of connected devices is closing fast.
Conclusion
China’s state-backed groups are industrializing botnets to launch attacks, according to the report from Dark Reading. The use of compromised devices to launch attacks makes it difficult to detect and prevent attacks, making it a significant concern for cybersecurity experts. As we move into the future, it’s likely that we’ll see more of these types of attacks, and it’s essential that developers and builders are aware of the risks and take proactive measures to prevent and detect these attacks. What will be the next step for China’s state-backed groups, and how will cybersecurity experts respond to the growing threat of botnet attacks?
Sources: Dark Reading, Cybersecurity and Infrastructure Security Agency, FBI, Akamai, Microsoft, NIST, Statista, European Union, OpenSSF
