Government cyber agencies around the world are rushing to clamp down on what appears to be an advanced and sophisticated espionage campaign targeting popular security software used by remote workers.
Calling the threat "serious and urgent," Canada's Communication Security Establishment's (CSE) Centre for Cyber Security joined its international allies Thursday urging organizations to take immediate action to patch up vulnerabilities following a widespread hit on the technology security company Cisco.
The impacted technology is commonly used by organizations to enable virtual private networks, or VPN — a necessity for many remote workers.
Underscoring the breadth of the issue, CSE said its guidance is aimed at "critical infrastructure sectors, including municipal, provincial and territorial governments, academia and research facilities."
"This is a critical moment for Canadian organizations. Threat actors are targeting legacy systems with increasing sophistication," said Rajiv Gupta, head of the Canadian Centre for Cyber Security, in a statement Thursday.
"I urge all critical infrastructure sectors to act swiftly."
In its own statement, Cisco said it was first made aware of an attack in May impacting its adaptive security appliances (ASA). The company said it has since discovered the same threat actor exploited new vulnerabilities in ASA devices to "implant malware, execute commands, and potentially exfiltrate data from compromised devices."
Cisco said it believes "with high confidence" the attackers are the same threat actors behind what's been called the ArcaneDoor campaign. It described it as a state-sponsored actor running an espionage-focused campaign.
CSE would not comment on who is behind the attack and said it's still investigating the scope of the vulnerability in Canada.
"Take our warning seriously," a spokesperson said in an email to CBC News.
Mike Gropp, a senior cybersecurity adviser with Rogers Cybersecure Catalyst out of Toronto Metropolitan University, described it as "a front door breaking on the very devices that guard corporate and government networks."
Cisco's firewalls "sit at the edge of thousands of Canadian organizations," including banks, hospitals, utilities and public agencies, he said.
"So when attackers compromise these devices, they can silently monitor, steal or reroute all the traffic that flows through them," he said
"A successful attack can expose things like patient records, financial data, or even government communications and even disrupt essential services."
Gropp said the techniques in the latest Cisco attack align with the modus operandi of a state-sponsored attacker, like China or Russia, who prioritize stealth and persistence to gain geopolitical leverage.
State-sponsored actors are likely seeking government communications or information on new technologies, he said.
Or infiltrating the system to play the long game.
"Gathering information, seeing what's in the network, how it's architected, how it's secured, what software is in use, what people are there, and potentially at a critical point, maybe in time of war, in trade talks, things like that, they would want to then disrupt those services to have some additional leverage in those strategic situations," Gropp said.
The attack has set off alarm bells around the world.
The U.S. Cybersecurity and Infrastructure Security Agency issued a rare emergency directive Thursday about the "advanced threat actor's" ongoing campaign on Cisco and ordered all federal civilian agencies to patch vulnerabilities by Friday at midnight.
"This activity presents a significant risk to victim networks," said the U.S. directive.
The United Kingdom's National Cyber Security Centre (NCSC) issued a similar warning, suggesting the malware used in this attack marks "a significant evolution" both in sophistication and the hackers' ability to evade detection.
CSE said it's working with Cisco and the Five Eyes intelligence alliance to provide support.