CISA, the FBI, the NSA, and cybersecurity agencies from 15 countries released a joint advisory today. The subject: Chinese state-sponsored cyber actors are using compromised home routers, smart cameras, firewalls, and IoT devices to route their attacks through unsuspecting networks.
Not attacking those devices...Using them...As infrastructure...To mask where their operations are actually coming from.
If you've been in a room with me when cybersecurity comes up, you've heard me say some version of this before. The threat isn't theoretical. The threat isn't "out there." The threat is sitting on a shelf in your office, blinking a green light, doing exactly what it's supposed to do while also doing something you never authorized.
One network named in the advisory (Raptor Train) infected over 200,000 devices worldwide. Another (KV Botnet) was used by a Chinese threat group called Volt Typhoon to pre-position offensive cyber capabilities on U.S. critical infrastructure. The FBI had to get court authorization to disrupt it. And the advisory makes clear, these are just the ones we know about.
The devices being compromised share a common trait...they're old, they're unpatched, they're running default credentials, they're "end of life," (meaning the manufacturer stopped issuing security updates and nobody noticed). They got plugged in, they worked, and they got forgotten about.
Sound like anything in your home or office?
Here's the scenario... You're a M distributor. You've got a firewall that was installed when you signed the lease. You've got security cameras on your network that haven't been touched since the installer left. You've got a router from your ISP that nobody has logged into since the day it arrived. You've got a network-attached storage box in a closet that someone set up three years ago for backups.
Every one of those devices could be compromised right now. You wouldn't know. Your internet still works. Your cameras still record. But in the background, your equipment is forwarding traffic for foreign intelligence operations. Your IP address shows up in someone's logs as the source of an attack you had nothing to do with.
And when someone comes asking questions (and eventually, someone will), what's your answer going to be?
The advisory lists recommendations. Some are basic:
- keep devices updated
- apply patches
- replace end-of-life equipment
- use multi-factor authentication
Some are more advanced:
- baseline normal traffic patterns
- use IP allowlists instead of blocklists
- reduce your internet-facing footprint
But let's be honest. Most small and mid-sized businesses don't have the internal capability or knowhow to do any of this. You don't have a security operations center. You don't have a full-time person running threat feeds. You have a business to run, and cybersecurity is the thing you'll "get to eventually."
I've heard it all before...
"No one is targeting us." "We'll deal with it if it happens." "Why do you keep asking for more resources?"
And my personal favorite: "Why do you care?" (An actual question from a President of a company).
Meanwhile, Chinese state actors are quietly turning your forgotten router into part of their attack infrastructure.
The advisory was co-signed by intelligence and cybersecurity agencies from the U.S., UK, Australia, Canada, Germany, Japan, Netherlands, New Zealand, Spain, and Sweden. This isn't speculation. This is coordinated, documented, and ongoing. And it's happening on devices that most business owners haven't thought about in years.
So let me ask the same questions I always ask...
Do you know what network equipment you have? Can you account for every router, firewall, switch, and connected device? Do you know how old they are? Do you know if they're still supported? Do you know who has the credentials?
If you can't answer those questions, you have a problem. And if you don't have the internal expertise to answer them, you need to find someone who does.
Your old router might be doing more than connecting you to the internet. It is past time to do something about it.
________________________________________________________________________________________________________________
Raphael Savastano is the founder and principal consultant of ROFONIC LLC. With 25+ years in IT, 16 years in leadership, including 8 years as CIO scaling technology for a global manufacturer from M to 0M. He now helps growing companies get executive-level technology and operations leadership without the full-time cost. Want to know where your technology actually stands? Take the Founder’s IT Reality Check →
