They’re Not Hacking Your Accounts.They’re Using Your Router.

April 27, 2026

Share This Post

Published by Netcomp Solutions · 27 April 2026 · 3 min read

⚠ Official Advisory — 23 April 2026

Australia’s Signals Directorate (ASD’s ACSC), alongside 15 partner agencies from 9 countries, has issued an urgent joint advisory on a major shift in Chinese state-sponsored cyber tactics. Australian businesses of all sizes are in scope.

Sources: NCSC-UK / ASD’s ACSC Joint Advisory · CISA Advisory AA26-113A · cyber.gov.au

If you run a small business in Australia, you probably have a router sitting in the corner of your office. You barely think about it. It just works.

But right now, foreign state-sponsored hackers are quietly taking over routers exactly like yours — and using them to spy on businesses, steal login credentials, and attack critical infrastructure. And you’d never know it was happening.

On 23 April 2026, Australia’s own cyber security agency — together with agencies from the UK, USA, Canada, Germany, Japan, the Netherlands, New Zealand, Spain and Sweden — published an urgent joint warning. Here’s what it means for your business, in plain English.

What Is Actually Happening?

Chinese state-sponsored hacker groups — including Volt Typhoon and Flax Typhoon — have changed their approach. Instead of using their own servers, they are now hijacking thousands of ordinary everyday devices and connecting them into an invisible network:

Home and office routers — especially older models no longer receiving security updates
IoT devices — smart TVs, security cameras, environmental sensors
Network-attached storage (NAS) drives
Business firewalls and VPN appliances

Together, these compromised devices form what the advisory calls a “covert network” — a hidden, constantly shifting spy network that disguises where attacks are coming from.

One such network, known as Raptor Train, infected more than 200,000 devices worldwide in 2024. It was controlled by a Chinese company, Integrity Technology Group, and is linked to the state-sponsored group Flax Typhoon.

Why Can’t My Antivirus Catch It?

This is where it gets troubling. The ACSC describes a phenomenon called “IOC Extinction” — indicators of compromise (the digital fingerprints that security tools use to detect attacks) vanish almost as fast as they appear.

Because the covert network constantly rotates through thousands of different compromised devices, traditional blocklists and signature-based detection tools simply cannot keep up. By the time a threat is identified and blocked, the attackers have already moved to a different device.

The advisory explicitly warns: relying on static, indicator-based controls alone is no longer enough.

What Do They Actually Do Once They’re In?

These covert networks are used across every stage of an attack — what security professionals call the “Cyber Kill Chain”:

Attack Stage	What It Means for Your Business
Reconnaissance	Secretly scanning your network to map weaknesses before striking
Malware delivery	Sending malicious software into your systems through the compromised device
Command & control	Remotely controlling compromised devices inside your network — invisibly
Data exfiltration	Quietly copying and stealing your data, passwords and financial information

What Should My Business Do Right Now?

The advisory provides specific guidance for organisations of all sizes. Here’s what matters most for Australian small businesses:

1. Update everything — especially older devices

Volt Typhoon specifically targeted Cisco and NetGear routers that were end-of-life — meaning they no longer received security patches. If your router or any network device is no longer supported by its manufacturer, replace it now. This is the single biggest risk factor identified in the advisory.

2. Change default passwords on every device

Default passwords — the ones printed on the box — are the easiest entry point for attackers. Change them on your router, cameras, printers, smart devices and any other hardware connected to your network. Use a unique, strong password for each device.

3. Enable multi-factor authentication (MFA) on remote access

If your staff connect to your business network remotely or via a VPN, enable MFA. This means a stolen password alone is not enough to get in. The advisory specifically recommends this as a priority step for all organisations.

4. Know what’s on your network

Ask your IT provider to map every device connected to your business network — routers, cameras, printers, smart devices. The advisory calls this “baselining your edge device traffic.” You can’t protect what you can’t see.

5. Ask about behaviour-based monitoring

Because these attacks use IOC extinction to evade standard detection, the advisory specifically recommends moving toward adaptive, behaviour-based monitoring that detects unusual network activity — rather than relying solely on known threat signatures. Talk to your IT provider about whether your current security tools can do this.

✅ Your Quick Action Checklist

Update firmware on your router and all connected network devices
Change all default passwords — on every device, not just your router
Replace any hardware past its manufacturer’s end-of-life date
Enable multi-factor authentication (MFA) on all remote access and VPN connections
Ask your IT provider to audit and map all devices on your network
Call the free Australian government cyber helpline: 1300 CYBER1
Visit cyber.gov.au for the latest guidance and free resources

The Bottom Line

Small businesses are not too small to be targeted. In fact, they’re often the easiest entry point — because they tend to have less IT support, older hardware, and fewer defences than large organisations.

The good news: you don’t need a big IT budget to take the most important steps. Updating firmware, changing passwords, and enabling MFA cost nothing and can significantly reduce your risk today.

Not sure where to start? Netcomp Solutions offers a free security review for Australian small businesses. Get in touch today — before someone else gets in first.