29MAY

CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed

3 min read

14:17UTC

Unit 42 confirmed state-sponsored cluster CL-STA-1132 has been inside PAN-OS firewalls since 16 April, running the same service-account enumeration and forensic-log destruction doctrine that CISA and the NCSC named against Cisco two weeks ago.

← Back to GitHub's own code cloned via VS Code add-on Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Three state clusters used the same log-destruction and service-account playbook across three firewall vendors in two weeks.

Unit 42, Palo Alto Networks' threat-research arm, confirmed that state-sponsored cluster CL-STA-1132 has exploited CVE-2026-0300 since 16 April, a 20-day window of access before any advisory existed.¹ Post-exploitation tradecraft recorded by Unit 42 includes shellcode injected into the nginx worker process, Active Directory (AD) enumeration via the firewall's own service account, lateral movement using open-source tunnelling tools EarthWorm and ReverseSocks5, and methodical destruction of crash logs, kernel messages and ptrace evidence.² Two devices are confirmed compromised; that figure represents the floor, not the ceiling.

The tradecraft is substantively identical to UAT-4356 running FIRESTARTER on Cisco ASA and Firepower firewalls , and to UNC5221 running BRICKSTORM on VMware appliances , where 393 days of dwell time passed before the cluster was detected. In each case: perimeter device as initial access, the device's own service account for internal enumeration, deliberate log destruction to eliminate forensic visibility. A defender who follows standard guidance (no exposed credentials, segmented zones) still faces a firewall whose logs are gone before the alert fires, with lateral movement arriving from a service account the security operations centre treats as trusted.

The sixteen-agency IOC advisory named the shared doctrine across Cisco infrastructure. CL-STA-1132 extends it to a third vendor in the same fortnight. The pattern no longer belongs to a single nation-state programme. Multiple offensive units have adopted the same playbook, which means defenders cannot calibrate their response to a specific country attribution; they must treat the doctrine itself as the threat model.

Deep Analysis

In plain English

A state-sponsored hacking group called CL-STA-1132 broke into Palo Alto Networks firewall devices starting on 16 April, roughly three weeks before this was publicly revealed. These firewalls are the devices businesses and government agencies use to protect their networks from outside attackers. Once inside, the group did something important: they deleted the logs that would normally tell a security team what happened. They also used the firewall's own user accounts to move around the internal network, because those accounts are trusted by other systems. This tradecraft, the combination of using a trusted device's own credentials and destroying the evidence afterwards, has now been seen in attacks on three different firewall vendors within two weeks. Security researchers say the technique has spread across multiple hacking programmes.

Deep Analysis

Root Causes

The convergence on firewall perimeter devices as entry points reflects a structural reality: next-generation firewalls occupy a position in the network where they have authenticated access to internal systems via service accounts, and where defenders rarely deploy endpoint detection agents. EDR tools are licensed for servers and workstations; the firewall runs a proprietary OS that sits outside standard EDR telemetry.

Active Directory enumeration via the firewall's own service account is exploitable precisely because network segmentation designs give firewalls legitimate, trusted access to directory services for user-identity resolution. The attacker abuses a function that must exist for the firewall to operate correctly.

The 20-day gap between first exploitation on 16 April and the advisory on 6 May reflects the time required to confirm exploitation with forensic confidence, not necessarily the time Unit 42 required to detect it. Perimeter-device forensics require specialised tooling and typically a physical or out-of-band management connection that disrupts production traffic during collection.

What could happen next?

Risk
Defenders on PAN-OS have a 20-day window of potentially unobserved lateral movement from a trusted service account that standard SOC tooling would not have flagged.
Immediate · 0.85
Consequence
The proliferation of log-destruction doctrine across CL-STA-1132, UAT-4356, and UNC5221 means defenders must now treat absence-of-logs as a positive indicator of compromise, not just an inconvenience.
Short term · 0.9
Precedent
Unit 42's public attribution of CL-STA-1132 with specific tradecraft documentation (shellcode in nginx worker, service-account enumeration) accelerates detection rule development for organisations still exposed.
Short term · 0.8

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: In 2014, the Equation Group's post-exploitation framework DOUBLEFANTASY included a module explicitly designed to clear Linux auth logs and bash history files, documented by Kaspersky Lab in 2015.

The technique was later observed in WannaCry post-infection cleanup, having spread from the NSA toolset via the Shadow Brokers dump in 2017. The pattern from 2014 to 2017 was: elite programme develops technique, technique proliferates through dump or training transfer, non-state actors adopt it.

Counter-parallel: The 2022 Sandworm Cyclops Blink disclosure showed that even when post-exploitation modules include forensic-wipe capabilities, defenders who identify the initial compromise vector can reconstruct the timeline using firmware memory dumps rather than logs. The log-wipe doctrine creates a blind-log condition, but it does not eliminate all forensic surface.

The two confirmed compromised devices represent a disclosed floor. The remediation cost per device is disproportionate to the device count: each affected PAN-OS unit requires a full forensic acquisition, log reconstruction against a baseline of known-destroyed artefacts, credential rotation for every service account the firewall held, and re-certification of any internal systems the firewall's service account accessed during the 20-day window.

For US federal agencies, that work scope triggers a formal incident response under OMB Memorandum M-21-31, which requires 72-hour notification to CISA and a 30-day closure report. The per-device compliance cost in engineering hours and third-party IR fees runs to six figures in the US federal market.

Consensus view: Recorded Future's Insikt Group and RUSI both assess the forensic-log destruction pattern as a deliberate operational security discipline, not opportunism: the systematic deletion of crash logs, kernel messages, and ptrace artefacts requires pre-prepared tooling and a threat actor who rehearsed the post-exploitation phase before the operation, indicating a mature offensive programme with institutional memory.

Counter-view: Citizen Lab's Senior Researcher Bill Marczak argues the tradecraft consistency across CL-STA-1132, UAT-4356, and UNC5221 may reflect shared training infrastructure or tooling marketplaces rather than a single programme proliferating, citing the way commercially-developed offensive frameworks such as Cobalt Strike spread across unrelated state actors before attribution could be made.

Key tension: Whether three clusters running substantively identical log-destruction doctrine against three different firewall vendors represents a single shared playbook circulating among allied state programmes, or independent convergence on the same obvious operational security technique.

First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

Palo Alto Networks PSIRT· 8 May 2026

Read original →

Causes and effects

This Event

CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed

Three state-nexus clusters in two weeks have used the same post-exploitation playbook across three firewall vendors, confirming the doctrine has proliferated to the point where defenders should treat log absence as an intrusion indicator rather than a systems-management gap.

Led to

FIRESTARTER implant survives every Cisco firewall patch

CL-STA-1132 on PAN-OS runs identical post-exploitation doctrine to UAT-4356 FIRESTARTER on Cisco ASA and Firepower: service-account abuse, log destruction, open-source lateral movement tooling.

Occurred 24 Apr 2026

Read story →

BRICKSTORM dwell hits 393 days, Mandiant

CL-STA-1132 is the third state-nexus cluster in two updates using the same perimeter-device doctrine as UNC5221 BRICKSTORM on VMware.

Occurred 1 Mar 2026

Read story →

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.