Global Espionage: China-Linked Storm-1849 Targets U.S. & European Cisco ASA Networks

The Chinese hacking group Storm-1849 continues its aggressive campaign against Cisco ASA devices used by government agencies and major organizations worldwide. The findings come from Unit 42, the threat intelligence division of Palo Alto Networks, which has been closely monitoring the group’s activity throughout October. Compromised devices have been identified not only in the United States but also within governmental networks across Europe, Asia, Africa, and Oceania.

Cisco Adaptive Security Appliance (ASA) remains one of the most widely deployed network security products, combining firewall, antivirus, anti-spam, and other protective functions. Its prevalence within the infrastructures of ministries, banks, and defense contractors has made it a high-value target for adversaries.

According to Unit 42, Storm-1849’s operations were particularly active in October, pausing only during the first week of the month—presumably due to China’s Golden Week holiday. Analysts documented targeted reconnaissance and exploitation attempts against 12 IP addresses belonging to U.S. federal entities and 11 more tied to state and municipal networks. Beyond the U.S., affected systems were identified in India, France, the United Kingdom, Japan, Norway, the UAE, Australia, Poland, Austria, Spain, the Netherlands, Nigeria, Azerbaijan, and Bhutan.

Storm-1849, also tracked under the designation UAT4356, has been exploiting vulnerabilities in Cisco ASA devices since at least 2024, according to Cisco. The company has collaborated with government agencies to investigate a wave of intrusions targeting the ASA 5500-X series with VPN web services enabled.

In October, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive mandating that all federal civilian agencies immediately patch two critical vulnerabilities—CVE-2025-30333 and CVE-2025-20362. The agency’s report noted that attackers have been combining both flaws to gain persistent access to systems, even surviving firmware updates or reboots.

Despite widespread awareness and CISA’s directive, Storm-1849’s attacks have not subsided. Experts warn that the group continues to evolve, demonstrating increasing sophistication and operational speed. While CISA has refrained from officially attributing the attacks to China, related infrastructure analysis conducted by Censys under the ArcaneDoor framework has revealed links to Chinese network providers and censorship-circumvention tools developed within China.

Both CISA and Cisco have declined to comment further on whether the 2025 campaign is connected to known Chinese threat actors, despite its notable similarities to the ArcaneDoor operation uncovered the previous year.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy