IN Brief:
- UK and allied cyber authorities have warned that China-linked actors are using covert networks built from compromised devices.
- The networks rely heavily on vulnerable routers, IoT devices, smart equipment, firewalls, and other edge infrastructure.
- Defence suppliers face practical production-security pressure around remote access, third-party systems, asset mapping, and supply-chain assurance.
UK defence suppliers are under renewed pressure to secure routers, remote-access systems, and edge devices after cyber authorities warned that China-linked actors are using covert networks of compromised equipment to disguise malicious activity.
The tactic relies on large-scale networks of compromised small office/home office routers, Internet of Things devices, smart equipment, firewalls, network-attached storage, and other exposed systems. Once enrolled into covert infrastructure, these devices can route traffic, disguise origin, support reconnaissance, deliver malware, maintain command-and-control links, and move stolen data out of target environments.
For defence manufacturers and aerospace suppliers, the risk sits in a part of the estate that can be less visible than headline engineering systems. Many companies have invested heavily in enterprise networks, classified environments, engineering data, and production controls. Edge infrastructure can be more fragmented: older routers, remote-access appliances, contractor VPN routes, test-lab links, smart building systems, cameras, and supplier-managed devices that sit between corporate IT and operational activity.
That boundary has become a primary attack surface. A compromised router may not look like a dramatic intrusion point, but it can allow hostile actors to blend into ordinary regional traffic, perform reconnaissance against target organisations, and approach networks from infrastructure that appears geographically or commercially plausible. Static blocklists struggle in that environment because nodes are refreshed quickly, shared between actors, and replaced as devices are patched, abandoned, or newly compromised.
The practical consequence for defence suppliers is a move from simple perimeter blocking toward active understanding of network-edge behaviour. Organisations need to map edge devices, baseline normal connections, review VPN and remote-access traffic, use dynamic threat feeds, and enforce multi-factor authentication across all remote entry points. Larger and higher-risk suppliers will also need to hunt actively for traffic associated with covert networks and treat such infrastructure as a tracked threat rather than background internet noise.
Defence manufacturing depends on a broad ecosystem of primes, tier-one suppliers, specialist machining houses, electronics assemblers, software providers, test laboratories, materials companies, and maintenance contractors. Many smaller companies operate with lean cyber teams while holding valuable drawings, tooling data, production schedules, quality records, export-controlled files, and access routes into larger customers. A compromised edge device at one supplier can become a foothold for intelligence collection or a stepping stone toward more sensitive environments elsewhere in the chain.
Cyber compromise does not have to steal data to damage production. Manufacturing systems depend on uptime, configuration control, trusted software, test records, and verified supplier communication. An attacker able to observe order flow, map engineering dependencies, identify production bottlenecks, or tamper with access systems can create later disruption through delay, rework, quality uncertainty, or loss of confidence in a supplier.
The same broad exposure can be seen in timing attacks threaten smart defence factories, where microsecond manipulation inside industrial networks presents risks to robotics, IIoT equipment, and deterministic manufacturing processes. The China-linked covert-network threat sits at a different layer, but both pressures point to the same reality: the defence factory is now a connected system of systems, and attackers do not have to enter through the most obvious door.
Third-party access deserves particular scrutiny. Defence production rarely happens inside one organisation. Equipment vendors connect to machinery, IT providers manage endpoints, customers exchange technical data, and subcontractors carry out specialist processes. Remote access improves efficiency, but it also creates routes that must be mapped, monitored, restricted, and shut down quickly when a linked organisation is compromised.
Cyber Essentials and Cyber Essentials Plus remain useful baselines, but defence customers are likely to ask more specific questions about edge-device management, unsupported equipment, VPN monitoring, supplier access, and incident response. Asset inventories that omit routers, firewalls, cameras, smart devices, test appliances, or building-management systems will look increasingly thin. Anything connected to the network becomes part of the security architecture.
The harder issue for the supply chain is cost. Smaller suppliers cannot all operate like national cyber units, which makes practical controls more valuable than elaborate policy documents. Unsupported devices need to be removed, exposed appliances patched, remote access restricted, MFA enforced, third-party connections documented, logs reviewed, and production networks separated from general business traffic wherever possible. Primes also have a role in making supplier assurance achievable rather than turning cyber compliance into another audit burden detached from factory reality.
The warning reinforces a practical industrial point. Defence production security is no longer limited to guarding drawings, controlling export files, and locking factory doors. It now extends to the consumer-grade, forgotten, or externally managed devices that can quietly carry hostile traffic around the world. For UK defence suppliers, edge visibility has become part of production resilience.