Governments on high alert after CISA snuffs out Firestarter backdoor on fed network

Latest in long-running pwning of Cisco kit found in mystery Fed agency
A US federal agency was successfully targeted by a previously unknown backdoor malware called Firestarter, according to CISA cybersnoops and their UK counterparts – neither of which disclosed the agency's name.

Described as a backdoor with remote access capabilities, Firestarter was named after Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD), the two products the malware targeted.

The CISA advisory states that only one FCEB agency was attacked with the malware, although it is suspected of being part of a wider campaign targeting government and critical national infrastructure networks in particular.

Further, the lone incident CISA investigated so far involved a Cisco Firepower device running ASA software, although Secure Firewall devices are also thought to be susceptible to attack.

Despite the perceived focus on government and critical national infrastructure, all organizations in the US and UK are advised to take preventative measures.

CISA said Firestarter was especially sophisticated in that it maintained persistent access to compromised networking devices even after they were updated, allowing attackers to re-enter victims' networks without needing to exploit any new vulnerabilities.

The malware was detected following routine continuous network monitoring.

All organizations are advised to use YARA rules while carrying out memory analysis from device core dumps or disk images.

Both CISA and its British counterparts at the National Cyber Security Centre (NCSC) want any organization that gets hit to collate all the evidence and submit it to them for intelligence-gathering purposes.

The findings this week are an update to CISA's earlier advisory , warning of other attacks on Cisco products, ones that exploited CVE-2025-20333 (9.9) and CVE-2025-20362 (6.5).

Likewise, Cisco is attributing the latest attacks to the same group it suspects was behind others from last year .

Switchzilla tracks the group with the UAT-4356 identifier, but has consistently refused to attribute it to a nation-state, including any of the US's four primary geopolitical adversaries (China, Russia, Iran, North Korea), although it has said the group appears to be government-backed.

The news of the federal agency's compromise comes just hours after intelligence agencies collectively issued a second warning this month about Chia's offensive cyber operations.

Ten countries, including those in the Five Eyes alliance, were involved in the second warning of its kind in recent weeks, once again claiming that China was building covert networks, such as recruiting consumer-grade SOHO routers, to launch cyberattacks on adversaries.

®