Cisco Hacked – Gang Claims it has 2.8GB of Data | Ransomware Demand not confirmed raising questions about hack being Geo-Poli-Cyber motivated.
Networking giant Cisco confirms being hacked as a ransomware group publishes a partial list of files it claims to have exfiltrated from the tech giant.
On the same day that the Yanluowang ransomware group published a partial list of files it says were stolen from Cisco, the networking giant’s Talos Intelligence Group confirmed that Cisco had, indeed, been hacked.
The confirmation, that came by way of a Talos blog posting, stated Cisco was first made aware of a potential compromise on May 24. The potential compromise became a confirmed network breach following further investigation by the Cisco Security Incident Response (CSIRT) team.
Who are the hackers?
Cisco said that the initial access vector was through the successful phishing of an employee’s personal Google account, which ultimately led to the compromise of their credentials and access to the Cisco VPN.
The threat actor, confirmed as an initial access broker with ties to a Russian group called UNC2447 as well as the Yanluowang ransomware gang was ejected from the network and prevented from re-entry despite many attempts over the following weeks. The tactics, techniques, and procedures (TTPs) also showed some overlap with the Lapsus$ group, many of whom were arrested earlier in the year.
Cisco: “No ransomware deployed”
Importantly, Cisco initially said that there was no ransomware deployment during the attack that it could find. CSIRT has stated.
An MLi Group Geo-Poli-Cyber, Survivability, and security experts said:
“Cisco stating that it did not identify any impact to its business as a result of this incident, including no impact to any Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property, or supply chain operations cannot mean that no impact happened.
The expert added:
“It is surprising for Cisco to be so conclusive so early that no damage has happened, especially if the hackers had sinister Geo-Poli-Cyber motivations. The data they accessed or stole can then be a treasure more valuable than gold if it was reverse engineered to perpetrate future attacks on Cisco, its partners or clients as targets. The hackers publishing a list of files from this security incident to the dark web is telling the world they are capable of a lot more”
A company-wide password reset was initiated after the breach and is to be praised for the clear and detailed disclosures it has made regarding the technicalities of the hack.
More updates to follow. Register for updates.