The UK National Cyber Security Centre (NCSC), in coordination with international partners including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), issued a comprehensive technical advisory on April 23, 2026. The report details the systematic exploitation of Small Office and Home Office (SOHO) devices by state-sponsored hacking groups linked to the People’s Republic of China. These actors are reportedly repurposing thousands of everyday consumer electronics, such as Wi-Fi routers, IP cameras, and Network Attached Storage (NAS) units, to build covert proxy networks designed to facilitate espionage against UK critical national infrastructure and private enterprises.
According to the NCSC, the primary objective of these covert networks is to obfuscate the origin of cyberattacks, making them appear as legitimate domestic internet traffic. By routing malicious commands through compromised residential hardware, threat actors can bypass traditional perimeter defenses and evade detection by security operations centers. The advisory specifically identifies the use of living off the land techniques, where hackers utilize built-in network administration tools already present on the devices to maintain persistence without deploying detectable malware. This method significantly reduces the digital footprint of the intrusion, complicating forensic analysis and attribution for security teams.
Technical analysis provided in the April 23 report indicates that the campaign has targeted vulnerabilities in legacy firmware, specifically citing CVE-2026-2104, a critical remote code execution flaw found in several older router models. The NCSC highlighted that devices reaching their end-of-life status are particularly vulnerable, as they no longer receive security updates. The agency estimated that over 15,000 devices across the UK have been integrated into these botnets over the last eighteen months, providing a persistent platform for data exfiltration and reconnaissance. Affected services include residential broadband connections and small-scale business networks that lack enterprise-grade monitoring and automated patching capabilities.
The advisory identifies the threat group as a sophisticated state-sponsored entity, often referred to in industry circles as APT40. The group has shifted its focus toward long-term persistence within the networks of firms involved in telecommunications, energy, and government services. Paul Chichester, Director of Operations at the NCSC, stated that the use of consumer-grade hardware as a springboard for high-level espionage represents a significant evolution in the threat landscape. He emphasized that the scale of the operation requires immediate action from both device manufacturers and network administrators to secure internet-facing hardware and prevent further infiltration.
To mitigate these risks, the NCSC recommends that organizations and individuals disable remote management features on all SOHO devices unless strictly necessary. The agency also urged the immediate application of firmware updates, the implementation of multi-factor authentication, and the replacement of hardware that has surpassed its manufacturer-supported lifecycle. The report concludes that without these measures, the decentralized nature of these covert networks will continue to provide a low-cost, high-impact mechanism for state-sponsored actors to conduct clandestine operations against sensitive targets.