Full Report
In a report shared with Recorded Future News, Unit 42 attributed the targeting of Cisco ASA devices to Storm-1849 — a China-based threat group that Cisco previously said has been attacking the tools since 2024.
Analysis Summary
# Threat Actor: Storm-1849
(Also referred to as UAT4356)
## Attribution & Identity
* **Attribution:** China-based threat group.
* **Known Aliases:** UAT4356.
* **Associated Groups:** Implied connection to state-sponsored activity, given the targeting profile and comparison to the ArcaneDoor campaign, which CISA linked to nation-state hackers.
## Activity Summary
Storm-1849 is actively engaged in scanning and exploiting vulnerabilities in Cisco Adaptive Security Appliances (ASA) devices. The targeting, first noted by Cisco in 2024, has continued throughout October (of the reporting year), with researchers tracking persistent attempts to compromise these firewalls. Activity saw a brief lull between October 1st and October 8th, likely corresponding with China’s Golden Week holiday. The group has shown persistence despite the issuance of CISA emergency directives to patch critical vulnerabilities.
## Tactics, Techniques & Procedures
- **Exploitation Chain:** Hackers were observed chaining together vulnerabilities CVE-2025-30333 and CVE-2025-30362.
- **Persistence Mechanisms:** Sophisticated methods were used to maintain access to exploited ASAs such that the compromise persisted through device reboots and system upgrades.
- **Initial Access:** Scanning and exploitation targeting vulnerable government edge devices (Cisco ASA).
## Targeting
* **Sectors:** Government, defense industry, and financial institutions.
* **Geography:** Worldwide targeting of federal, state, and local government IP addresses, including the U.S., India, Nigeria, Japan, Norway, France, the U.K., the Netherlands, Spain, Australia, Poland, Austria, UAE, Azerbaijan, and Bhutan.
* **Victims:** Specific targets tracked include U.S. federal agencies (12 IP addresses), U.S. local and state government entities (11 IP addresses), U.S. financial institutions, and defense contractors.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly named in the provided text, but the activity leverages the exploitation of Cisco ASA software.
* **Infrastructure (C2, domains, IPs):** Exploitation activity targeted 35 specific IP addresses associated with government entities across multiple countries. (Specific IPs and domains are not listed/defanged in the source text).
## Implications
Storm-1849 is a rapidly emerging and globally active threat actor specializing in exploiting widely deployed, critical infrastructure devices (Cisco ASA). Their continued activity against government entities post-emergency directive suggests high operational tempo and a focus on gaining persistent access to government networks globally, positioning them as a significant player alongside established groups like Volt Typhoon.
## Mitigations
- Immediately patch Cisco ASA devices for vulnerabilities CVE-2025-30333 and CVE-2025-30362, as exploitation is occurring with "alarming ease."
- Implement mitigation strategies to ensure persistence mechanisms (gained through exploitation) are removed, paying close attention to ensuring access does not survive reboots or system upgrades.
- Monitor network perimeter devices (ASAs) for signs of unauthorized persistence mechanisms.