A previously unknown and "sophisticated" nation-state group compromised Cisco firewalls as early as November 2023 for espionage purposes – possibly attacking network devices made by other vendors including Microsoft, according to warnings from the networking giant and three Western governments.

These cyber espionage campaigns, dubbed "ArcaneDoor" by Cisco, were first spotted in early January and disclosed on Wednesday. And they targeted VPN services used by governments and critical infrastructure networks around the world, according to a joint advisory issued by the Canadian Center for Cyber Security (Cyber Centre), the Australian Signals Directorate's Cyber Security Center and the UK's National Cyber Security Center ( NCSC).

A Cisco spokesperson declined to comment on which country the snooping crew — tracked as UAT4356 by Talos and as STORM-1849 by Microsoft — is affiliated with. However, the revelations come as both Russian and China-backed hacker groups have been found burrowing into critical infrastructure systems and government agencies, with China specifically targeting Cisco equipment.

The mysterious nation-state group "used tailor-made tools that demonstrated a clear focus on espionage and a deep knowledge of the entities they targeted, hallmarks of a sophisticated state-sponsored actor," according to a Talos report published today.