Hackers operating out of China are targeting a widely used series of Cisco firewalls, scanning and exploiting systems run by governments across the U.S., Europe, and Asia. 

Experts from Palo Alto Networks’ Unit 42 report that attackers are targeting Cisco Adaptive Security Appliances (ASA), a common choice for governments and enterprises because they combine multiple security roles such as firewalling, intrusion prevention, spam filtering, and antivirus protection. 

According to a report provided to Recorded Future News, Unit 42 identified Storm-1849 — a China-linked hacking group — as responsible for targeting Cisco ASA devices, continuing campaigns first observed by Cisco in 2024. 

According to unit 42, Chinese-linked hackers continued to target Cisco ASA devices used by U.S. defense contractors, military organizations, and financial firms throughout October. the threat group behind the campaign, Storm-1849 — also tracked as UAT4356 — has a history of going after government and defense-related networks. 

Unit 42 analysts reported a dip in hacker activity between October 1 and October 8, coinciding with China’s golden week celebrations.  

The report noted that 12 IPs associated with U.S. federal agencies were targeted by scanning and exploitation efforts, with a further 11 state and local government IPs coming under attack in October. 

The attacks extended beyond the United States, hitting government networks in India, Nigeria, Japan, Norway, France, the United Kingdom, the Netherlands, Spain, Australia, Poland, Austria, the U.A.E., Azerbaijan, and Bhutan. 

The Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive last month, mandating that all federal civilian agencies fix CVE-2025-30333 and CVE-2025-20362, vulnerabilities found in Cisco ASA systems. 

Hackers have been seen using both vulnerabilities together in live attacks, CISA said, adding that the threat actors are skilled enough to keep their access intact through ASA reboots and software updates. 

CISA gave agencies just a single day to patch the flaws, emphasizing that threat actors were exploiting them with “alarming ease.” Cisco later reported that in May 2025, it partnered with multiple government agencies to probe attacks on ASA 5500-X Series devices using Cisco Secure Firewall ASA Software with VPN capabilities.