Ransomware Gang Posts Data Online Stolen From Cisco

But enterprise networking and security giant says the data was not sensitive and the hack had ‘no impact to our business.’


Cisco is confirming that data recently splashed across the internet by the Yanluowang ransomware gang included information that was hacked from its network this past spring.

But the San Jose, Calif.-based Cisco stressed that the leaked information, which first appeared online on Sept. 11, was not sensitive and the incident didn’t effect business.

“We continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply change operations,” Cisco Talos said in a blog update post.

Sponsored post

Noting that it previously acknowledged in August that it had been the target of an cyberattack in May, Cisco said its assessment of what happened overall hasn’t changed over the weeks – that the attack wasn’t a severe hit to Cisco.

Still, Cisco did note that the attacker was persistent and wouldn’t give up easily even after being detected.

“During the investigation (by Cisco Security Incident Response) and Cisco Talos, it was determined that a Cisco employee’s credentials were compromised after the attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized,” Cisco wrote.

“The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempt to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeed in achieving an MFA push acceptance, grant them to VPN in the context of the targeted user.”

Once detected, it wasn’t easy getting rid of the attacker, which Cisco said “displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however these attempts were unsuccessful.”

According to BleepingComputer, the Yanluowang leader is now claiming Cisco is downplaying the severity of the attack, telling BleepingComputer “that they stole thousands of files amounting to 55GB and that the cache included classified documents, technical schematics, and source code.”

BleepingComputer said Cisco denied the possibility that the intruders had exfiltrated or accessed any source code.

A Cisco representative could not be reached for comment by CRN as of mid-afternoon Monday.

At least one Cisco partner said that the Yanluowang ransomware gang attack against Cisco is another sign of the difficulty of securing a large global enterprise in the wake of the post-pandemic work-at-home era.

In the blog post, Cisco said “initial access” to the Cisco VPN was achieved “via the successful compromise of a Cisco employee’s personal Google account.” That user had enabled password syncing via the Google Chrome browser and had stored their “Cisco credentials” in the browser.

“It could happen to anybody,” said a top executive for an SP500 Cisco enterprise partner who did not want to be identified.

“With work-from-home and distributed workforces there is just so much opportunity for company data to be where it is not supposed to be. I am sure Cisco has policies that says you should not put data on non-approved cloud resources but it happens,” said the executive.

The top technology executive emphasized that Cisco’s network remained secure.

“The network itself is not what was compromised,” he said. “This was an employee breaking Cisco policies and electronic protections by moving data into a non-managed resource like Box.”

The attack highlights the need for employees to be trained and educated on the “damage” they can cause by not following corporate security policies, said the executive.

“Education and training is paramount,” he said. “I am sure Cisco does security training. This accentuates the need for continuous training for employees and contractors and continual refinement of security policies and the tools you have available to enforce those policies.”

The technology executive said ransomware breaches are at an all-time high. “It is non-stop,” he said.

The SP500 executive said his company’s security business has doubled in the last year.

“Any partner that is not investing in their security practice is missing an opportunity and a need of their customers,” he said.