Hackers exploit Cisco firewalls in US federal systems

According to a senior federal official, hackers have slipped past defenses by compromising firewall devices inside the federal government.

On Thursday, the US Cybersecurity and Infrastructure Security Agency (CISA) sent an urgent directive, telling agencies to secure Cisco firewall devices and look for any signs of compromise.

Chris Butera, acting deputy executive assistant director for CISA’s cybersecurity division, has even asked other government bodies and private companies to take similar precautions, noting that the threat is widespread.

According to a US official, about 10 organizations worldwide have been breached, although that number could increase. The official said there were still “a lot of unknowns” about the campaign. Another US official called the campaign “very sophisticated” and noted the hackers’ malware as highly intricate.

“CISA is deeply concerned about this activity,” the second official said. “If agencies don’t get on this right away, it could be bad for them.”

Cisco calls the attackers’ methods complex and sophisticated

The group, which Cisco calls ArcaneDoor, has reportedly been conducting spying operations since last year. According to CISA, their attacks could hurt critical infrastructure in the US. Nonetheless, Washington is bracing for a busy few days as teams work to detect the hackers and secure vulnerable devices before more damage occurs. Agencies must update and submit reports by Friday.

Cisco told reporters it collaborated with multiple agencies in May to investigate the hacks and later uncovered three additional vulnerabilities exploited by the attackers. It said the hackers used these flaws to install malware, run commands, and potentially steal data. The company has also advised customers to patch their systems immediately. The UK government had also issued its own warning Thursday, describing the hackers’ malware as a “major step forward” from their earlier tools.

Per Cisco’s analysis, the hackers exploited several zero-day flaws and used stealth tactics like turning off logging, hijacking commands, and crashing devices to avoid detection. The company even describes the tactics as complex and sophisticated. The compromised devices included certain models from Cisco’s ASA 5500-X Series, which serve as firewalls to shield corporate networks from attacks. 

Analysts believe a China-linked group was involved in the attack

So far, authorities have not named any suspects for the attack, but researchers believe the hackers are linked to China and have been targeting Cisco vulnerabilities for an extended period. Butera claimed that their directive will help map out the complete extent of the compromise affecting federal networks.

Palo Alto Networks’ Unit 42 also told CNN they believe the campaign is China-linked and noted that more groups may soon target the same weaknesses now that the vulnerabilities and fixes are public. Sam Rubin, a senior vice president at Unit 42, iterated, “As we have seen before, now that patches are available, we can expect attacks to escalate as cybercriminal groups quickly figure out how to take advantage of these vulnerabilities.” Palo Alto has been monitoring hackers worldwide, and according to them, the group has been changing tactics and leaning towards more US entities. 

This disclosure comes just days after Mandiant, part of Google, said a separate group of suspected Chinese hackers infiltrated US software developers and law firms in an espionage campaign tied to the US-China trade dispute. The firm said full remediation may take months.

KEY Difference Wire: the secret tool crypto projects use to get guaranteed media coverage