TL;DR: On April 23, 2026, CISA, the FBI, the DoD Cyber Crime Center, and four allied nations issued joint advisory AA26-113A warning that China-nexus state actors are compromising small office/home office (SOHO) routers, network cameras, and IoT devices at scale to build covert networks for espionage, reconnaissance, and command-and-control. Small businesses in North Carolina, especially manufacturers in defense supply chains, are unwitting hosts and downstream targets. Patch every edge device, replace end-of-life hardware, segment IoT, enforce MFA on remote access, and monitor outbound traffic.
Key takeaway: Your office router is now a piece of nation-state cyber infrastructure if it is unpatched, end-of-life, or running default credentials. The five-country advisory (US, UK, Australia, Canada, New Zealand) treats consumer-grade and SMB edge devices as the primary attack surface, not Fortune 500 firewalls.
Is your edge hardware exposed to AA26-113A? Preferred Data Corporation runs free network edge assessments for North Carolina businesses. Call (336) 886-3282 or request an edge security assessment. BBB A+ rated since 1987.
What did CISA's April 23, 2026 advisory actually say?
CISA Advisory AA26-113A documents a major shift in tactics by China-nexus cyber actors: instead of buying or renting cloud infrastructure, they are compromising tens of thousands of internet-facing SOHO routers, IP cameras, network video recorders, and IoT controllers and using them as a "covert network" to scale espionage operations against US and allied targets. The advisory was released jointly with the FBI, the Department of Defense Cyber Crime Center (DC3), the UK's National Cyber Security Centre, the Australian Signals Directorate, the Communications Security Establishment Canada, and New Zealand's Government Communications Security Bureau.
The compromised devices are then used to:
- Hide the true origin of intrusions against US targets (obscuring attribution)
- Conduct reconnaissance, brute-force attacks, and credential stuffing
- Operate as command-and-control (C2) hop points
- Stage data exfiltration so traffic appears to come from a US business IP
CISA's defensive guidance is unambiguous: organizations must "map network edge devices, baseline normal connections, maintain log collection and storage, and implement multifactor authentication for remote connections" (CISA, 2026).
Why is this an urgent small business problem in North Carolina?
Small and mid-sized businesses are the preferred host platform for this kind of campaign for three reasons:
- They have public IP addresses. Cloud-based attacker infrastructure is easier to block. A pivot through a router belonging to a legitimate Greensboro accounting firm or a Hickory furniture manufacturer looks like normal US traffic.
- They run end-of-life or unpatched edge gear. A 2025 industry study cited by Industrial Cyber found that the median age of compromised SOHO devices in covert networks exceeds five years and that most are no longer receiving vendor security updates.
- They have weak monitoring. Most NC small businesses have never reviewed outbound traffic from their router, let alone alerted on anomalous flows.
Earlier joint advisories tracked the same actor families ("Volt Typhoon" and "Salt Typhoon") pre-positioning inside US critical infrastructure (CISA AA25-239A). AA26-113A confirms the playbook has industrialized: nation-state actors are no longer focused exclusively on the energy grid or telecoms. They are pivoting through the home routers, IP cameras, and SMB firewalls of ordinary American businesses.
According to the Verizon 2026 Data Breach Investigations Report and supporting industry data, vulnerability exploitation as an initial access vector increased 34% year over year, with edge devices among the most exploited targets. Combined with BlackFog's State of Ransomware 2026 finding that small and mid-sized businesses now account for 70.5% of disclosed breaches, the picture is clear: your edge is the perimeter, and the perimeter is on fire.
Which devices are at greatest risk in NC small businesses?
| Device class | Typical risk | What attackers do with it |
|---|---|---|
| Consumer SOHO routers (Linksys, ASUS, TP-Link, Netgear) | End-of-life firmware, default creds | Hop point, C2, credential capture |
| SMB firewalls running unpatched VPN | CVE backlog, exposed SSL VPN | Initial access, ransomware staging |
| IP cameras and NVRs | No firmware updates, telnet open | Botnet, internal recon, video exfil |
| Industrial IoT controllers (HVAC, access control) | Flat-network connectivity to OT | Pivot from IT into OT/SCADA |
| Print servers and MFPs | Forgotten admin web UIs | Credential harvesting, lateral movement |
| Smart TVs and conference room kit | Unpatched Android, microphones | Audio capture, persistent footholds |
For NC manufacturers handling CMMC-regulated CUI, defense primes are increasingly auditing supplier edge hygiene. A compromised router can fail an annual CMMC assessment and jeopardize contract renewals.
What are the five immediate actions every NC small business must take?
Action capsule: Patch every edge device, retire anything past end-of-life, enforce MFA on every remote-access path, segment IoT/OT off the corporate LAN, and turn on outbound traffic logging. Most small businesses can complete steps 1-3 in under 30 days.
1. Inventory every internet-facing device this week
You cannot defend what you do not know exists. Walk every closet, IDF, and wiring panel. Document make, model, firmware version, public IP exposure, and end-of-life status. Include:
- Routers and modems
- Firewalls (SonicWall, Fortinet, Cisco Meraki, Sophos, WatchGuard, Ubiquiti)
- Wireless access points
- IP cameras and NVRs
- VoIP phone systems
- Smart-building controllers and HVAC gateways
- Print/scan devices
- VPN concentrators and remote-access appliances
Preferred Data's managed IT services include an automated edge inventory tool that discovers exposed devices in under one business day.
2. Patch firmware on every device, then enable auto-update where supported
CISA's Known Exploited Vulnerabilities Catalog lists dozens of router and edge-device CVEs under active exploitation. The 2025-2026 wave includes high-severity flaws in SonicWall (CVE-2024-40766), Fortinet, Ivanti, Cisco IOS XE, and consumer router brands. Apply vendor patches immediately and subscribe to vendor security mailing lists.
3. Replace any device that has reached end-of-life
If your router or firewall no longer receives firmware updates, it cannot be secured. Period. This includes a long list of widely deployed gear that quietly hit end-of-life in 2024-2025. Budget for replacement now. The Wall Street Journal and federal advisories increasingly treat "running EOL hardware on the public internet" as gross negligence equivalent to running an unpatched Windows XP server.
4. Enforce multifactor authentication on every remote login path
CISA explicitly highlights MFA on remote connections as a top mitigation. According to Microsoft research, MFA blocks 99.9% of automated credential attacks. That includes:
- SSL VPN logins
- Firewall management UIs
- Cloud admin consoles (Microsoft 365, Google Workspace)
- Remote desktop and RMM tools
5. Segment IoT and OT off the corporate LAN
A flat network turns one compromised camera into a launchpad for ransomware against finance and engineering. Segment cameras, HVAC, badge readers, smart TVs, and OT controllers onto isolated VLANs with default-deny rules between zones. For manufacturers, this is also a CMMC 2.0 boundary protection requirement.
What does Preferred Data Corporation do that addresses this directly?
Preferred Data has been securing North Carolina small business networks since 1987. We specifically address AA26-113A risks through:
- Edge device discovery and inventory: Automated identification of every internet-facing asset across all NC sites with EOL flagging.
- Managed firmware patching: Centralized patch deployment across firewalls, switches, APs, IP cameras, and IoT controllers.
- 24/7 outbound traffic monitoring: SIEM and SOC services that flag anomalous outbound connections to known C2 infrastructure (the exact behavior AA26-113A describes).
- MFA rollout: Identity hardening for VPNs, RMM tools, and cloud admin portals.
- Network segmentation engineering: VLAN design, micro-segmentation, and zero-trust enforcement for offices and shop floors.
- CMMC and NIST 800-171 alignment: Documentation that your edge controls meet defense supply chain requirements.
- Hardware lifecycle planning: Replacement roadmaps so EOL devices never quietly become covert-network hosts.
Learn more about our managed IT and cybersecurity services.
How does this attack tie back to ransomware and tariff-driven IT cost cuts?
The same compromised edge devices that nation-state actors use for espionage are also the entry path for ransomware affiliates. Arctic Wolf reports that 74% of 2025 ransomware claims started with a compromised VPN appliance. Akira ransomware in particular has weaponized SonicWall vulnerabilities to encrypt small business networks in under four hours.
Compounding the problem, tariff-driven cost increases have pushed network security appliance prices up 14-18%, leading some businesses to extend hardware refresh cycles from three to six years. That is exactly the population of devices nation-state actors are targeting. Cutting CapEx on edge security in 2026 is a false economy: the cost of a single AA26-113A-style compromise dwarfs the savings.
What does this mean for NC manufacturers and defense contractors?
Manufacturers in High Point, Greensboro, Charlotte, Raleigh, Winston-Salem, Hickory, and Durham face concentrated risk:
- Defense supply chain exposure: A compromised edge device that connects to a DoD prime can fail a CMMC assessment, triggering contract loss.
- Operational technology bridging: Many NC plants share network paths between IT and OT. A pivot from a compromised IP camera to a PLC is well-documented in CISA advisories.
- Insurance underwriting: Cyber carriers now ask explicitly about edge-device patch hygiene and EOL hardware. "No" answers raise premiums or deny coverage.
- Tariff cost pressure: Manufacturers facing 14-18% increases in firewall costs may delay replacement, exactly the wrong move under AA26-113A.
Preferred Data's M&A technology services and vCIO advisory help NC manufacturers prioritize spend so security and compliance investments are not the line items that get cut.
Key takeaway: AA26-113A is not a routine advisory. It is a confirmation that small business edge gear is now front-line cyber infrastructure. The five steps above (inventory, patch, replace, MFA, segment) are the difference between hosting nation-state operations and being a defensible business.
About Preferred Data Corporation
Preferred Data Corporation has secured North Carolina small business networks for 37+ years. From our High Point, NC headquarters, we deliver managed IT, cybersecurity, cloud, and OT/IT integration services to manufacturers, distributors, construction firms, and professional services across the Piedmont Triad and Research Triangle. Our 20+ year average client retention, BBB A+ rating, and on-site coverage within 200 miles of High Point make us the trusted edge-security partner for businesses that cannot afford to be a covert-network host.
Respond to AA26-113A today:
- Call (336) 886-3282
- Visit preferreddata.com/contact
- Email [email protected]
- Address: 1208 Eastchester Drive, Suite 131, High Point, NC 27265
Frequently Asked Questions
Is my home office router actually a national security risk?
If it is internet-facing, has not been patched recently, or has reached vendor end-of-life, yes. CISA's AA26-113A advisory confirms that consumer-grade SOHO routers are a primary infrastructure layer for China-nexus covert networks. Replace any device that no longer receives firmware updates and enable automatic updates on the rest.
How do I know if my router is end-of-life?
Check the manufacturer's support site for your exact model and firmware version. If the most recent security update is more than 18 months old, or the model is on the vendor's "discontinued" list with no security maintenance, treat it as end-of-life. Common consumer brands publish EOL schedules: Linksys, ASUS, TP-Link, Netgear, and D-Link all maintain support pages.
Does CISA AA26-113A apply to my small business if I am not a defense contractor?
Yes. The advisory describes attackers compromising any internet-facing SOHO device they can reach. Defense contractors face additional CMMC consequences, but every NC small business is a potential covert-network host. Manufacturers, healthcare offices, accounting firms, law firms, and construction companies have all been identified as compromise victims in related CISA reports.
How much does it cost to remediate AA26-113A risks for a 25-person business?
A typical NC small business edge remediation (firmware patching, MFA rollout, EOL replacement of one firewall plus segmentation) ranges from $4,500 to $18,000 in one-time work plus $75-$175 per user per month for ongoing managed security. The median ransom demand from Akira ransomware (which uses the same edge devices) is now $1.2 million per At-Bay's 2026 InsurSec Report. Remediation pays for itself many times over.
Can I just replace my router and call it done?
No. AA26-113A also covers IP cameras, NVRs, smart-building controllers, IoT, and VPN appliances. A complete response requires an inventory of every internet-facing device, a patching plan, MFA on remote access, network segmentation, and outbound traffic monitoring. Preferred Data's edge security assessment walks NC businesses through each step.
What logs does CISA recommend I retain?
CISA AA26-113A recommends maintaining "log collection and storage solutions" with sufficient retention to detect long-dwell intrusions. NIST and FBI guidance generally recommend at least 12 months of edge device, firewall, and authentication logs. For CMMC and HIPAA-regulated NC businesses, retention can be longer. A managed SIEM service simplifies this.
Related Resources
- Cybersecurity Services for NC Small Businesses
- Managed IT Services
- OT/IT Integration for Manufacturers
- Zero Trust Security for Small Business
- Ransomware Recovery Plan for NC Businesses
- Multi-Factor Authentication Business Guide
- SCADA Security for NC Manufacturers
- IT Services in Raleigh
- IT Services in Greensboro
- IT Services in Charlotte
References
- CISA, FBI, DC3, NCSC-UK, ASD, CCCS, NCSC-NZ. (2026, April 23). Defending Against China-Nexus Covert Networks of Compromised Devices (AA26-113A). https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-113a
- CISA. (2025). Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide (AA25-239A). https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a
- CISA. (2026). Known Exploited Vulnerabilities Catalog. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Verizon. (2026). 2026 Data Breach Investigations Report. https://www.verizon.com/business/resources/reports/dbir/
- BlackFog. (2026). The State of Ransomware 2026. https://www.blackfog.com/the-state-of-ransomware-2026/
- Arctic Wolf. (2025-2026). Akira Ransomware SonicWall SSL VPN Campaign. https://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/
- Industrial Cyber. (2026). Cybersecurity agencies flag use of covert networks by China-linked actors for espionage. https://industrialcyber.co/cisa/cybersecurity-agencies-flags-use-of-covert-networks-by-china-linked-actors-for-espionage-offensive-operations/
- Microsoft Learn. (2026). How multifactor authentication works. https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks