Cisco investigating data breach: what we know so far


A well-known data broker says that he’s stolen copious amounts of data from Cisco, including the company’s business customer data. Hundreds of organizations, including the likes of Amazon, Samsung, Disney, Apple, IBM, and the US military have allegedly been impacted.

Threat actor IntelBroker, infamous for high-profile attacks against Europol, Apple, and others, claims to have struck down another giant – American multinational technology conglomerate Cisco. The attacker says he’s offering data taken from the company on October 6th.

Meanwhile, Cisco confirmed to Cybernews that the company is aware of the hacker’s claims and has launched an inquiry to determine if IntelBroker’s ad on a popular hacker forum has any basis.

ADVERTISEMENT

“Cisco is aware of reports that an actor is alleging to have gained access to certain Cisco-related files. We have launched an investigation to assess this claim, and our investigation is ongoing,” the company’s spokesperson said.

Cisco data breach
Post announcing the alleged breach. Image by Cybernews.

What was allegedly stolen from Cisco?

The attacker‘s post on a data leak forum said the compromised data includes a ton of sensitive files and credentials such as Github, Gitlal, and SonarQube projects, source code, hard-coded credentials, certificates, Cisco confidential documents, Jira tickets, API tokens, AWS Private buckets, Azure storage buckets, private and public keys, SSL Certificates, and other details that no company wants falling in the wrong hands.

Whoever had access to this type of information could attempt unauthorized entry to the company‘s systems, disrupt operations, and steal valuable data. However, as of now, the hacker‘s claims are unconfirmed. Since the attacker wanted to sell the data, only limited data samples were included in the original post.

The Cybernews research team investigated information the attacker made public and concluded that the attackers’ claims seem “believable,” but reiterating that there's not enough data to know for sure.

The attackers included information on seven Cisco employees, with their names, usernames, email addresses, and hashed passwords revealed. However, most of the post consists of screenshots of Excel sheets presentations, infrastructure panels, and similar information.

“Screenshots of data included in the original post look believable. However, since the threat actor is intending to sell the data and is most likely looking for price offers, the full extent of the breach is not revealed,” the team said.

ADVERTISEMENT

Major companies listed in the leak

What’s clear is that the supposedly stolen data relates to Cisco’s business-to-business (B2B) clients. Attackers included a sheet listing over 1,000 names. However, likely around 800 companies are actually listed as some organizations are mentioned several times as their different departments were supposedly exposed.

Some heavy hitters in the list of companies the attacker stole data from include Apple, Google, Microsoft, Amazon’s IT center and AWS, Citigroup, Alibaba, AT&T, Vodafone, and Bank of China.

The list of impacted organizations includes America's military branches such as the US Air Force and the US Army. Federal institutions such as the FBI, NSA, and the US Postal service we listed alongside major European institutions such as the European Parliament.

Other countries' institutions that could have been impacted by IntelBroker’s attack include Australia, the UK, Saudi Arabia, Egypt, Turkey, Sweden, the United Arab Emirates, South Africa, Mexico, Canada, and China. Tens of major global banks are on the list, including Capital One, Deutsche Bank, Goldman Sachs, HSBC, ING Bank, JPMorgan Chase, and many others.

The combined net worth of all companies included in the list is in the hundreds of trillions of US dollars, making for a good advertisement for the threat actor. At the same time, without a detailed data sample of what’s included in the leak, it's impossible to say whether any information that was supposedly exposed would have any impact on the organizations IntelBroker listed.

Who is IntelBroker?

IntelBroker is a notorious blackhat hacker believed to be responsible for hacking Europol’s Platform for Experts (EPE) and a security breach at DC Health Link, a health insurance company, which faced a congressional hearing over the attack.

IntelBroker leaked data from PandaBuy, HomeDepot, and stole data from General Electric, the US Citizenship and Immigration Services (USCIS), US cellular carriers, and Facebook Marketplace.

Researchers from the cybersecurity firm believe the attacker is of Serbian nationality but resides in Russia. However, the Cisco breach could prove otherwise to be true, as the list of companies impacted includes several Russian entities.

ADVERTISEMENT

Meanwhile, a rule that Russian cybercriminals adhere to (some even in written form before joining ransomware gangs) is that businesses and organizations in Russia and countries in its sphere of influence are not to be targeted.


ADVERTISEMENT

Comments

Tdsan
prefix 20 days ago
Interesting, a major conglomerate and they got hacked with all the technology in the world, so a small company like mine does not stand a chance. I am trying to figure out the following:

1. When did they actually find out and informed the public
2. What triage steps they took to identify the issue or did the hacker's website show the way
3. What happened to all of Cisco's Cloud Security Products and the training involved

At what point is Cybersecurity a mirage or just keep out of sight
Leave a Reply

Your email address will not be published. Required fields are markedmarked