Your Router Is a Spy: How China-Linked Hackers Are Hiding in Plain Sight

.

The Hack You'll Never See Coming

Your home router probably sits in a corner, blinking quietly, and never crosses your mind. For Chinese state-linked hackers, it could be a perfect tool. On April 23, 2026, the UK's National Cyber Security Centre (NCSC) and 15 partner agencies from eight other countries — including the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, and Spain — jointly published new guidance warning the world about this exact threat.

The advisory, co-signed by agencies including the FBI, describes a growing practice: Chinese-affiliated cyber groups are quietly taking control of unpatched home routers, smart TVs, and other internet-connected gadgets. They then use these hijacked devices as relay points to launch attacks — making the traffic look like it's coming from an ordinary household rather than a Chinese intelligence operation.

What Is an ORB Network — and Why Is It So Dangerous?

The technical term for what's being described is an "Operational Relay Box" network, or ORB. Think of it as a secret underground tunnel system built from other people's devices. Instead of attacking a target directly, hackers bounce their traffic through dozens or hundreds of compromised routers scattered across the globe. The original source of the attack becomes nearly impossible to trace.

ORB networks function like botnets — mesh networks of compromised devices including virtual private servers, IoT gadgets, smart devices, and home routers — used as hidden relay points for espionage operations. Crucially, the devices continue to handle normal internet traffic alongside the hidden malicious data, which makes detection extremely difficult.

What makes the tactic even more effective is its speed of renewal. Security researchers at Mandiant have compared ORB networks to a constantly reconfiguring maze, with entry and exit points disappearing roughly every 60 to 90 days. By the time investigators identify a compromised device used in an attack, it's often already been rotated out of the network.

A Deliberate Shift in Strategy

Western agencies stress that this is not an accidental vulnerability being exploited — it's a calculated strategic choice by Beijing-linked groups. Paul Chichester, director of operations at the NCSC, said in the official statement that there has been "a deliberate shift" in Chinese cyber groups using these networks specifically to avoid accountability.

Google-owned Mandiant noted that ORB networks are not operated directly by Chinese government units. Instead, they appear to be managed by contractors who rent the infrastructure to multiple hacking groups — making attribution even harder. Traffic can originate from any geography, and traditional indicators of compromise become largely useless as the networks constantly cycle their infrastructure.

The groups most prominently linked to these tactics include Volt Typhoon and Flax Typhoon — two China-affiliated hacking clusters that have been the subject of repeated warnings from U.S. and allied agencies. A related group called BlackTech, active since 2010, has targeted U.S. and East Asian organizations by compromising branch office routers and using trusted corporate network relationships to pivot deeper into headquarters systems — all while disabling logging to cover their tracks.

The Targets: Everything That Matters

The guidance makes clear that no sector is considered off-limits. Critical infrastructure — energy grids, telecommunications, water systems, financial networks — is among the primary targets. The goal is not just stealing data, but maintaining persistent, hidden access that could be activated in a future crisis.

Dutch intelligence warned earlier this week that China now matches the United States in cyber capability and forecast a further increase in attacks targeting edge devices such as routers, firewalls, and VPN solutions through 2026. The same report noted that a Chinese campaign tracked as Salt Typhoon and RedMike had already gained access to routers at smaller Dutch internet service providers.

Singapore faced a particularly damaging example in 2025 and early 2026. A group linked to Chinese state actors penetrated four major Singaporean telecom providers — M1, SIMBA Telecom, Singtel, and StarHub — in what local authorities described as a "deliberate, targeted, and well-planned" operation. The response required a national cyber incident effort lasting more than 11 months, involving over 100 government cyber defenders.

Britain Rings the Alarm — Louder Than Before

The new ORB advisory lands just one day after a major speech by NCSC chief Richard Horne at the annual CyberUK conference in Glasgow, where he delivered what may be his starkest warning yet.

Horne told attendees that China's intelligence and military agencies display "an eye-watering level of sophistication" in their operations. He also warned that the majority of the most serious cyber incidents his agency now handles originate directly or indirectly from nation states — a significant shift from the criminal ransomware gangs that dominated the threat landscape in previous years.

UK Security Minister Dan Jarvis revealed that the NCSC handled more than 200 nationally significant cyber incidents in the previous year — more than double the number recorded the year before. The scale and pace of the threat, officials say, has fundamentally changed.

The CYBERUK 2026 conference, held during the NCSC's 10th anniversary year, was designed to drive home the message that cyber conflict no longer travels separately from wider geopolitical disputes — it moves with them.

AI: Both a Threat and a Potential Shield

Adding to the urgency is the rapid spread of artificial intelligence. AI tools are now being used by attackers to identify and exploit security weaknesses faster than human teams can patch them. UK Security Minister Dan Jarvis called on leading AI companies to work with the government to build autonomous cyber-defense capabilities capable of protecting critical national infrastructure at a speed no human team could match on its own.

Britain has pledged £90 million ($122 million) over three years for cybersecurity investment, with a focus on smaller businesses that often lack the resources to defend themselves.

What You Can Do

The new joint guidance from Western cyber agencies includes practical steps for organizations and individuals. The core message: treat every internet-connected device as a potential target.

Key recommendations include keeping all routers and smart devices updated with the latest firmware, replacing outdated or unsupported hardware, changing default passwords immediately after setup, monitoring for unusual network activity, and segmenting home and office networks so that a compromised smart device cannot easily reach more sensitive systems.

For organizations, the advisory stresses that the speed at which forensic evidence from ORB-based attacks disappears makes early detection critical — waiting until after a breach to investigate may leave defenders with almost nothing to work with.

The Bigger Picture

What these advisories collectively reveal is a strategic doctrine. China is not just building military strength in traditional domains — it is systematically constructing a global digital infrastructure for espionage and, potentially, sabotage. The ORB network approach weaponizes the very openness of the internet, turning ordinary people's devices into unwitting instruments of state power.

Mandiant analysts concluded that the rise of the ORB industry in China reflects long-term investment in equipping Chinese cyber operators with more sophisticated tools — designed to raise the cost of network defense and shift the advantage toward the attacker.

For Western governments, businesses, and individuals, the message from this week's coordinated advisory is unambiguous: the digital space is contested territory, and the battle is already underway — in routers and smart devices in homes and offices around the world.

.

Sources:

1. UK National Cyber Security Centre — Official Advisory & Horne Speech (April 22–23, 2026): https://www.ncsc.gov.uk/news/cyber-chief-uk-faces-perfect-storm-for-cyber-security
2. Associated Press / ABC News — "Most Serious Cyberattacks Against the UK Now from Russia, Iran and China" (April 22, 2026): https://abcnews.com/International/wireStory/cyberattacks-uk-now-russia-iran-china-cyber-chief-132256988
3. Mandiant / Google Cloud — "Chinese-linked Hacking Units Increasingly Use ORBs to Obfuscate Espionage" via CyberScoop: https://cyberscoop.com/china-hacking-operational-relay-box-networks/
4. Infosecurity Magazine — "Chinese Hackers Rely on Covert Proxy Networks to Evade Detection": https://www.infosecurity-magazine.com/news/chinese-apt-orb-networks/
5. The Record / Recorded Future News — "China's Cyber Capabilities Now Equal to the US, Warns Dutch Intelligence" (April 2026): https://therecord.media/china-cyber-capabilities-match-us-dutch-intel-says
6. The Record — "Singapore Attributes Telecom Hacks to China-Linked UNC3886" (Feb 2026): https://therecord.media/singapore-attributes-telecoms-hacks-unc3886
7. CISA Advisory — "People's Republic of China-Linked Actors Hide in Router Firmware" (BlackTech, 2023): https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-270a

.