A U.S. federal agency has been compromised by a previously unidentified backdoor malware known as Firestarter, according to the Cybersecurity and Infrastructure Security Agency (CISA) and its UK counterpart. The specific agency involved has not been disclosed.
Details of the Incident
The malware, which provides remote access capabilities, specifically targets Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD). CISA’s advisory indicates that only one agency within the Federal Civilian Executive Branch (FCEB) was affected, although it is suspected that this incident is part of a broader campaign aimed at government and critical national infrastructure networks.
Technical Insights
The investigation revealed that the incident involved a Cisco Firepower device operating on ASA software. While only one incident has been confirmed, there are concerns that other Secure Firewall devices may also be vulnerable. Firestarter is noted for its sophistication, maintaining persistent access to compromised devices even after updates, allowing attackers to re-enter networks without needing to exploit new vulnerabilities.
Preventative Measures and Recommendations
CISA has advised all organizations, not just those in government, to take precautionary steps. They recommend employing YARA rules for memory analysis from device core dumps or disk images. Both CISA and the UK’s National Cyber Security Centre (NCSC) are urging organizations that experience an attack to gather evidence and report it for intelligence purposes.
Context of Ongoing Threats
This incident follows earlier advisories from CISA regarding vulnerabilities in Cisco products, specifically CVE-2025-20333 (rated 9.9) and CVE-2025-20362 (rated 6.5). Cisco has linked these recent attacks to the same group responsible for previous incidents last year. While the group has been described as appearing government-backed, CISA has refrained from attributing it to any specific nation-state.
The revelation of the federal agency’s compromise coincides with a broader warning from intelligence agencies about ongoing cyber operations, particularly those attributed to China, which reportedly involves the use of consumer-grade routers for launching attacks.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
