On April 23, 2026, the National Cyber Security Centre (NCSC) released a comprehensive technical advisory detailing a large-scale cyber espionage campaign orchestrated by Chinese state-sponsored actors. The report, co-authored with agencies from the United States, Australia, Canada, and New Zealand, identifies the systematic exploitation of everyday internet-connected devices—including routers, webcams, and printers—to gain unauthorized access to United Kingdom-based business networks.
The NCSC identified the primary threat actor as APT40, a group previously linked to the Chinese Ministry of State Security. According to the advisory, the group has compromised over 50,000 Small Office/Home Office (SOHO) routers and Internet of Things (IoT) devices globally, with a significant concentration in the UK. The hackers utilize a sophisticated botnet, designated as Cinder-Net in the report, which leverages vulnerabilities in legacy firmware versions. Specifically, the advisory notes that devices running outdated Linux kernels, specifically versions 2.6 through 4.4, are particularly susceptible to the Mirai-X variant malware used to establish persistent backdoors.
The espionage campaign employs living off the land techniques, where attackers use built-in network administration tools to move laterally through compromised systems. By routing malicious traffic through a mesh of legitimate consumer devices, the actors effectively mask their origin, making detection by traditional signature-based security software difficult. The NCSC reported that the average duration of these undetected intrusions exceeds 200 days. Affected services include internal file-sharing protocols and Virtual Private Network (VPN) gateways, which are used to exfiltrate sensitive intellectual property and corporate communications.
Felicity Oswald, CEO of the NCSC, stated that the scale of the operation represents a significant shift in the tactical approach of state-aligned groups. The advisory emphasizes that the targeting is not limited to government infrastructure but extends to critical sectors such as aerospace, telecommunications, and high-tech manufacturing. The NCSC recommends that organizations immediately update firmware on all edge devices and implement multi-factor authentication (MFA) on all remote access points.
This warning follows a series of localized breaches reported by UK firms in the first quarter of 2026. Technical analysis of these incidents revealed that the initial point of entry was frequently an unpatched IP camera or a network-attached storage (NAS) device. The joint advisory provides a list of over 100 Indicators of Compromise (IoCs) and specific IP addresses associated with the Cinder-Net command-and-control infrastructure to assist IT departments in identifying and mitigating the threat.