Network device hack made it possible to spy on governments

On April 24, 2024, cybersecurity firm Cisco Talos published a report on a widespread espionage campaign targeting government servers, named “Arcane Door.” The latter relies on exploiting vulnerabilities in network devices, including two zero-day vulnerabilities in devices manufactured by Cisco, the cybersecurity firm’s parent company.

In January 2024, Cisco Talos spotted suspicious activity on Cisco’s adaptive security appliances. Afterwards, researchers found a “small set” of infected customers, all involving “government networks on a global scale.”

Launched in July 2023, the espionage campaign targeted network perimeter protection measures, in this case firewalls and VPNs. It also targeted the network perimeter of Microsoft and other providers. Attackers are thought to have first gained control of infrastructure in November 2023. Cisco has since released three patches for the identified vulnerabilities, two of which were critical.

Cisco Talos blamed the attack on a previously unknown malicious actor, dubbed “UAT4356”, or “Storm-1849” by Microsoft. In a joint press release, Australian, Canadian and British cybersecurity agencies stated UAT4356’s capabilities “were typical of a sophisticated, well-resourced, State-sponsored player.”

“Perimeter network measures make a perfect entry point for espionage campaigns (…). Over the last two years, we have observed a dramatic and sustained surge in this kind of targeting within telecoms and energy sectors. This critical infrastructure is likely a target of interest for a number of foreign governments,” reads the Cisco Talos report.