An advisory published April 23 by numerous global government cybersecurity and law enforcement agencies warns of a shift in offensive tactics by China-nexus threat actors. The advisory warns of “covert networks” of compromised devices, akin to botnets, being used in strategic attacks against critical infrastructure worldwide.
Covert networks, the agencies describe, are made up of connected internet-of-things (IoT) devices, and edge devices including security tools such as firewalls. A healthy percentage of these devices are end-of-life, meaning they are no longer supported by their respective vendors and no longer receive security or feature updates. They’re being used in every facet of an attack path, from reconnaissance, to malware delivery, communication with compromised systems, and data exfiltration.
These networks are large and are often used by more than one China-nexus actor, the report says. The agencies urge organizations to understand not only how these networks function, but also how foundational security practices can put up barriers in front of this threat.
At Claroty’s annual Nexus Conference in October 2025, Mandiant Chief Technology Officer Charles Carmakal provided more details during a keynote address of activity targeting edge devices, in particular those that do not support endpoint detection and response (EDR) protection. He also shared that China-nexus adversaries are determined and dwell on compromised systems, sometimes for years. Their tools include custom-built rootkits, malware frameworks, and backdoors purpose-built for the computing infrastructure they’re targeting.
Why China-Nexus Advisory is Wake-Up Call for Legacy CPS
China’s overall strategy—as demonstrated by the Volt and Salt Typhoon attacks—is to pre-position offensive capabilities on critical infrastructure networks in the event of a kinetic conflict, experts say. Its tactics, meanwhile, should also be a warning to security teams responsible for cyber-physical systems (CPS) within the critical infrastructure sectors.
Like edge devices, legacy CPS technology is predominant in key sectors such as manufacturing, healthcare, energy, and water utilities, and is also a target of state-sponsored actors, and lower-skilled groups sympathetic to the geopolitics of an adversary.
CPS such as operational technology (OT), smart IoT sensors, and building management systems (BMS) that handle process and production data are already being leveraged by hacktivists in disruptive attacks, according to a recent Team82 report. Often these attacks are decidedly low-tech and threat actors access these systems by taking advantage of default or known admin credentials, or the systems’ reliance on insecure protocols for device-to-device communication.
Hacktivists, according to Team82, account for 46% of 200 verified attacks leveraging CPS impacted manufacturing, water and wastewater, and power generation companies. Most often, hacktivists sympathetic to adversarial nation-states hurdle low barriers to entry to access and compromise CPS, primarily leveraging insecure protocols such as VNC, and targeting HMIs and SCADA systems that communicate using the insecure Modbus protocol.
How to Defend Against China-Nexus Threat Actors
The April 23 advisory cautions that this particular threat from China-nexus actors presents a number of unique challenges. The traffic from these edge devices is often part of baseline, accepted communication, and any activity by a third party with illicit access may be considered part of that baseline. This was a key tactic—known as living off the land—used by the Volt Typhoon group in compromising U.S.-based military and critical infrastructure.
The following foundational defensive strategies for protecting CPS should be a starting point for any company who may have a China-nexus threat actor within their threat model.
Maintain an Asset Inventory of Internet-Facing CPS
The lowest barrier to entry for disruptive threat actors are internet-facing CPS assets. Internet-scanning services return actionable asset information about CPS devices that are exposed online, and a threat actor with a working exploit or attack technique for a particular class of CPS asset could easily build a working list of targets. Illicit access to these devices can expose organizations to service disruption, physical damage to assets, or endanger the personal safety of workers or the general public. Hackers may also use these devices as an entry point onto the process network or enterprise network to cause further damage, including ransomware or extortion attacks, or exploits against vulnerabilities.
Therefore, it’s critical to have a current CPS asset inventory that enumerates assets that are exposed to the internet. This is merely the first step to protecting these assets. Organizations must use that inventory to map out systems in order to deploy virtual network segmentation of assets. Zero-trust access controls must also be applied to each internet-facing asset, reducing the barrier to entry for threat actors.
Understand Adversary TTPs via Threat Intelligence
Security teams must also have some understanding of threat actors’ tactics, techniques, and procedures (TTPs). This requires CPS-specific, curated threat intelligence that when combined with an asset inventory allows security teams to identify the pertinent threats, and prioritize exposed assets with the most business impact for rapid remediation or mitigation.
While it’s not always critical to know exactly who is on your network, it is important to understand their tactics and their motivations in order to determine whether you could be next within your industry to be targeted, or whether your CPS assets are similarly exposed as other organizations that have been compromised.
Reduce Attack Surface, Phase out Insecure OT Protocols
Use your asset inventory and asset management capabilities to identify which CPS assets are communicating via legacy protocols. As Team82 demonstrated, insecure protocols such as VNC or Modbus, which lack authentication and encryption capabilities, are the preferred targets of less-skilled threat actors. Attackers may leverage these protocols to disrupt OT assets, production lines, or even hospital operations, putting public safety and patient care at risk.
Upgrading away from insecure versions of these protocols may be expensive and time consuming. Having an accurate inventory of CPS assets, as well as an understanding of which devices are exposed and how they are exposed, is a big head start. It is imperative that security teams be vigilant about mitigating default, or known, weak credentials, and proactively change them as devices are deployed online. Defenders should evaluate and understand other insecure configurations, and any security issues must be addressed before devices are connected online.
