U.S. agencies ordered to patch Cisco devices amid hacking spree
Add Axios as your preferred source to
see more of our stories on Google.
Photo: Alex Wong via Getty Images
The top U.S. cyber defense agency is ordering all federal civilian agencies to patch vulnerable Cisco networking products that state-backed hackers are actively targeting.
Why it matters: Federal cyber investigators have already found evidence of compromised devices, and the agency is aware of hundreds of potentially vulnerable Cisco devices across the federal government, a U.S. official told reporters.
Driving the news: Cisco said Thursday that it has been working with "multiple government agencies" to investigate attacks on its firewalls that let hackers implant malware, execute command and possibly exfiltrate data from the devices they break into.
- The company also disclosed and released patches for three zero-day vulnerabilities in its Adaptive Security Appliances — although attackers have only been targeting two of them.
- The Cybersecurity and Infrastructure Security Agency issued an emergency directive alongside the news, ordering agencies to disconnect compromised devices by noon on Friday and report the incidents to the agency.
- Agencies that have the affected Cisco devices, but haven't been compromised, are ordered to report to CISA where they are using the products in their networks by Oct. 2.
Threat level: During its threat-hunting campaign, CISA uncovered evidence that some federal devices had already been compromised.
- Cisco attributed the attacks to ArcaneDoor, a hacking group that predominantly targets networking devices and has been active since 2023. Some researchers have linked the group to China-based hackers, but the U.S. has not formally attributed the attacks.
- In some cases, the hackers had "modified commands to allow for persistence across reboots and software upgrades," Chris Butera, acting deputy executive assistant director for cyber at the agency, told reporters.
- A U.S. official told Cybersecurity Dive that at least 10 organizations worldwide have been breached, including multiple federal agencies.
Between the lines: CISA is issuing the directive in part to get a better handle of the scope of the intrusions on U.S. networks and across critical infrastructure, Butera added.
- "CISA is directing federal agencies to take immediate action to reduce risks to federal systems upon which our American population depends," he said.
The intrigue: Cisco said it was first alerted to these attacks on government organizations in May, but the company and CISA only went public with their findings on Thursday.
- Butera said both the agency and company did not want to publicly disclose the flaws to the public until a patch was in place.
What to watch: It's unclear which civilian agencies were breached and what information was stolen. The U.S. has also yet to formally attributed the attacks to a specific nation-state.
If you're a cyber investigator with a tip about the Cisco breaches in the U.S. government, you can reach out confidentially to Sam Sabin on Signal at SamSabin.01 or by email at [email protected].
