State-sponsored actors targeted security devices used by governments around the world, according to technology firm Cisco Systems, which said the network devices are coveted intrusion points by spies.
In a blog post Wednesday, Cisco named it “ArcaneDoor,” and described the activity as an espionage-focused campaign carried out by “state-sponsored actors targeting perimeter network devices from multiple vendors.” It also said it found victims globally, all of which involved government networks.
Cisco and the cybersecurity agencies of Canada, Australia and the United Kingdom are urging customers to patch devices quickly.
In a joint, separate advisory, the Canadian Centre for Cyber Security, Australian Signals Directorate’s Australian Cyber Security Centre and the UK’s National Cyber Security Centre said they’ve been monitoring malicious cyber activity since early 2024 that targets virtual private network services — known as VPNS — used by governments and critical infrastructure globally.
VPNs offer a private tunnel that lets workers log into office networks from home, among other uses.
“The capabilities are indicative of espionage conducted by a well-resourced and sophisticated state-sponsored actor,” the advisory said.
The agencies noted the campaign was sophisticated and used “multiple layers of novel techniques.
Canada’s Communications Security Establishment (CSE), the government agency responsible for information security, told CTV News it was too early to determine which, if any, state was behind the attack.
“It is important that Canada and its partners defend against all threats, whether attributed or not,” a spokesperson wrote.
Claudiu Popa, CEO of Datarisk Canada, said the Canadian government has historically been a consumer of Cisco and pointed out how the company is one of the largest providers of network equipment.
“It’s a huge concern for not just Canada, but any country around the world and their governments,” Popa said, adding the attackers don’t appear to be on a mission to use ransomware or cyber extortion.
“The attackers are specifically looking for information,” he said.
According to Cisco, a customer first alerted the company of a possible threat in early 2024 but its investigation discovered “actor-controlled infrastructure” dating back to early November 2023, and most activity took place between December 2023 and early January 2024. Cisco found methods were being tested as early July 2023.
Calvin Engen, chief technology officer of F12.net, said every Cisco ASA (Adaptive Security Appliance) device is compromised. Despite issuing patches to protect against it, an actor may have already gained access to the device, Engen said.
“They could possibly have what’s called a ‘backdoor’ that could allow them to stay within their organization. So, it’s very paramount for all organizations that have these devices to properly go through and validate that they don’t have a persistent threat actor in their environment,” he said.
Canada’s privacy commissioner is investigating a data breach at Global Affairs Canada involving a cyberattack on an internal network reported earlier in 2024.
Personal information of users, including employees, was compromised when unauthorized individuals accessed the department’s virtual private networks.
CTV News reached out to Global Affairs Canada to ask whether it was affected by the Cisco attack.
“The Government of Canada deals with ongoing and persistent cyber risks and threats every day and takes appropriate measures to protect its systems and mitigate against these threats,” a spokesperson told CTV News in an email.
“Given its profile, Global Affairs Canada has very proactive security monitoring in place, and takes cyber security and such incidents very seriously,” the spokesperson continued, adding the agency isn’t able to comment further due to “operational reasons.”
“I think for Canadians, the most interesting thing… is will we ever learn what country was behind this particular attack? And that will tell us something,” Beauceron Security CEO David Shipley said. “And whether or not the government would… ever formally attribute this attack will tell us something else. These are all really complicated things.”
The tech company released software updates to address the vulnerabilities that were exploited, “along with clear guidance to enable customers to detect potential compromise, upgrade, and restore integrity to compromised devices running ASA or FTD (Firepower Threat Defence) software,” a Cisco spokesperson told CTV News.
The spokesperson said users can be assured that the company has a history of earning customers’ trust through engagement and transparency when facing issues with its products.
Source link