What Happened
On April 23, 2026, CISA released joint advisory AA26-113A alongside the UK National Cyber Security Centre, Canada’s Centre for Cyber Security (CCCS), and agencies from Australia, Germany, and Japan. The advisory documents a fundamental shift in the tactics of Chinese state-linked threat actors: rather than using individually procured servers and infrastructure, these actors now operate through large, shared networks of compromised routers, VPN appliances, and edge devices — what the advisory calls “covert networks.”
These covert networks provide two primary advantages for the attackers. First, they obscure attribution — all malicious traffic appears to originate from legitimate IP addresses belonging to organizations, universities, or individuals with no connection to China. Second, they reduce operational cost and risk, since the actors are not maintaining their own infrastructure and leave fewer forensic artifacts. The NCSC assessed the majority of China-nexus threat actors are using these networks, and multiple covert networks are in simultaneous use by different actor groups. The advisory is available at CISA and NCSC-UK.
Why This Matters for Canadian Organizations
The inclusion of Canada’s CCCS as a co-signatory is not a formality — it reflects direct Canadian exposure. China-linked threat actors have previously targeted Canadian government ministries, telecommunications infrastructure, defence contractors, and research institutions. The shift to covert infrastructure makes detection significantly harder: network traffic originating from a trusted IP range at a Canadian university or internet service provider will not trigger the same alerts as traffic from a known malicious block.
Organizations relying on IP-based threat blocking or geolocation filtering as a primary detection layer will find those controls degraded by this technique. Canadian critical infrastructure operators under Bill C-26 obligations, federal departments, and organizations in the defence supply chain should treat this advisory as a direct call to audit their edge device inventory, VPN gateways, and remote access solutions — these are the devices being compromised to build covert networks, and they are also the entry points into your environment.
The advisory specifically calls out VPN appliances, small-office routers, and firewall products as primary targets for initial compromise. Canadian organizations still running end-of-life or unpatched versions of Cisco, Fortinet, Ivanti, or similar products on their network perimeters face compounded risk: those devices are both potential nodes in a covert network and potential entry points into their own infrastructure.
What to Do
Map and baseline all network traffic transiting your edge devices, with particular attention to VPN and remote access connection patterns. Adopt dynamic threat intelligence feeds that include indicators specific to covert network activity. Prioritize patching for internet-facing edge devices — routers, firewalls, and VPN concentrators — as these are the primary recruitment targets for covert networks. Review logs for low-and-slow reconnaissance patterns, unusual data transfer volumes, and connections to infrastructure your threat intelligence feeds flag as recently listed. Consider segmenting network monitoring so that anomalies on edge devices trigger dedicated alerting workflows separate from your general SIEM noise. Consult the full advisory for detection indicators and YARA rules released by the partner agencies.
