US and UK cybersecurity agencies have issued an urgent warning regarding a new backdoor malware, dubbed Firestrom, discovered within a US federal agency's network.
According to reports from theregister.com, the Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) identified the malware targeting Cisco Secure Firewall Adaptive Security Appliance (ASA) and Threat Defense (FTD) products.
While the specific federal agency remains unnamed, the breach occurred within the Federal Civilian Executive Branch (FCEB). This group encompasses major entities including NASA, the FBI, the Department of Justice, and the IRS.
Firestarter provides attackers with remote access capabilities and demonstrates high levels of sophistication. CISA noted that the malware maintains persistent access to compromised networking devices even after software updates, allowing attackers to re-enter networks without needing new vulnerabilities.
Targeted infrastructure
CISA's investigation confirmed that a single FCEB agency was hit, though officials suspect the malware is part of a wider campaign targeting government and critical national infrastructure. The detected incident specifically involved a Cisco Firepower device running ASA software.
Security researchers at Switchzilla have identified the threat actor as UAT-4356. While the group appears to be government-backed, the outlet reported that Switchzilla has refused to attribute the attacks to any specific nation-state, including China, Russia, Iran, or North Korea.
This discovery follows previous warnings regarding attacks on Cisco products exploiting vulnerabilities CVE-2025-20333 and CVE-2025-20362. The latest findings serve as an update to CISA's earlier advisories regarding similar Cisco-focused exploits.
CISA and the NCSC are urging all organizations to implement preventative measures. The agencies recommend using YARA rules to perform memory analysis on device core dumps or disk images.
Both agencies are also requesting that any organization that detects similar activity collate all evidence and submit it to them for intelligence-gathering purposes.
The warning arrives shortly after a separate, collective alert from ten countries, including the Five Eyes alliance, regarding Chinese offensive cyber operations. That alert claimed China is building covert networks using consumer-grade SOHO routers to launch attacks against adversaries.
