Nation-States Repurpose Embedded Systems to Mask Global Cyber Operations

Nation-state hackers are turning compromised routers, cameras, NAS devices, and other IoT technologies into covert cyber infrastructure for espionage, proxying attacks, and hiding attribution.

In late April, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Cyber Security Centre (NCSC-UK), and several international partners released a joint statement announcing that China-linked cyber actors are using hijacked embedded devices as infrastructure for delivering attacks.

“This is a meaningful shift because attackers are no longer operating from attacker‑owned infrastructure but from victim‑owned, legitimate embedded devices, which invalidates trust assumptions based on IP ownership or device class,” said SANS Institute instructor and digital forensics expert Mattia Epifani. “Traffic sourced from consumer routers or NAS systems can now be attacker‑controlled by design, not anomaly.”

Traditionally, bad actors have rented or built their own infrastructure. Now, however, they’re hijacking other people’s devices at scale, especially small office/home office (SOHO) routers and IoT gadgets like cameras or NAS boxes, to form covert networks. According to CISA, one network might include thousands of devices, and multiple threat groups might share it.

“This is more than a botnet evolution. Nation-state actors are using IoT and embedded devices as their own cyber infrastructure, not just targets,” said Dr. Katrina Rosseini, chairwoman of the Civilian Reserve Information Sharing and Analysis Center (CR-ISAC) executive board.

Botnets were about volume, says Rosseini. The takeover of embedded devices, she said, is about control, persistence, and strategic access. By taking over embedded devices, nation-states can mask their activity. More importantly, says Rosseini, attackers can insinuate themselves into strategic systems, creating access pathways, and using compromised embedded devices to position themselves for future attacks. 

“In operational environments, this is about pre-positioning. These devices give adversaries a quiet way to establish access long before they decide to act,” she said.

As long as organizations think of embedded devices as endpoints, Epifani said, attackers will be able to effectively leverage those devices as infrastructure. 

“The biggest misconception is that embedded devices are merely targets or entry points, rather than strategic infrastructure for nation‑state operations. Modern campaigns show they are deliberately used as relay nodes, attribution shields, and pre‑positioning assets,” Epifani said. “The progression from VPNFilter to Cyclops Blink demonstrates this evolution clearly: routers were no longer exploited just for access, but systematically converted into a distributed, resilient cyber infrastructure layer controlled by a state actor.”

Embedded Devices: Good Targets for Bad Actors

Embedded and IoT devices are a natural target for malicious actors, partially because there are so many of them, says Adam Ierymenko, founder and CTO of ZeroTier. 

“They're everywhere, they're often under-managed, and they tend to run for long periods without anyone paying close attention to their behavior,” said Ierymenko. “For an attacker, that creates a huge, distributed layer of low-friction infrastructure. These are devices that can be hijacked, repurposed, and blended into normal traffic with very little operational cost.”

Embedded and edge devices are difficult to secure because they largely sit outside enterprise security tooling, lack telemetry, and often remain operational long after vendor support ends. 

“Once devices reach end‑of‑life, known vulnerabilities persist indefinitely while the device continues routing or processing traffic silently. This makes them ideal for nation‑state reuse as infrastructure,” Epifani said.

Volt Typhoon, for example, relied on end‑of‑life routers that were functioning normally but acting as covert relays. The routers’ owners were unaware of this because there was no longer logging or monitoring for those devices.

The shift to using embedded devices as infrastructure is a natural evolution for attackers, Ierymenko said.

“In many ways, embedded devices are becoming the connective tissue of modern cyber operations,” Ierymenko said. “The last decade was shaped by cloud infrastructure because it gave attackers scale, elasticity, and reach; today, compromised embedded and IoT devices offer something similar at the edge: massive distribution, weak visibility, and a steady stream of always-on footholds. That makes them especially valuable for persistence, proxying, and blending malicious traffic into the normal flow of the internet.”

Organizations Aren’t Prepared for the New Attack Infrastructure

Unfortunately, most organizations aren’t equipped to detect compromised embedded devices, Epifani said.

“Detection requires full visibility into embedded devices, east‑west traffic, and firmware‑level behavior, capabilities most enterprises and critical infrastructure operators lack,” he said. 

The reason, he said, is that embedded devices are typically monitored for uptime rather than behavioral misuse. In fact, according to government assessments, many organizations only became aware their devices were compromised after external takedowns, not internal detection. 

At the moment, embedded and IoT devices are an ideal substrate for covert activity at scale, Ierymenko said. However, organizations can make covert networks more difficult for malicious actors to maintain. 

“Three things matter most: identity, containment, and observability,” he said. “If devices can’t freely trust each other by default, if their communications are constrained to explicit policy rather than open-ended reachability, and if anomalies are visible early, covert networks become much harder to build and much easier to disrupt.”

At the protocol level, that means minimizing implicit trust, reducing lateral movement within networks, and making every connection accountable.

“The less anonymous and unconstrained the path is, the harder it is for an attacker to hide inside it,” he said.