Security Experts:

Connect with us

Hi, what are you looking for?



Cisco Hacked by Ransomware Gang, Data Stolen

Cybercriminals breached Cisco Systems and stole non-sensitive data

Profit-driven cybercriminals breached Cisco systems in May and stole gigabytes of information, but the networking giant says the incident did not impact its business.

Cybercriminals breached Cisco Systems and stole non-sensitive data

Profit-driven cybercriminals breached Cisco systems in May and stole gigabytes of information, but the networking giant says the incident did not impact its business.

Cisco on Wednesday released a security incident notice and a technical blog post detailing the breach. The intrusion was detected on May 24, but the company shared its side of the story now, shortly after the cybercriminals published a list of files allegedly stolen from its systems.

Ransomware gang takes credit for Cisco hack

According to Cisco, the attacker targeted one of its employees and only managed to steal files stored in a Box folder associated with that employee’s account, as well as employee authentication data from Active Directory. The company claims the information stored in the Box folder was not sensitive.

For initial access, the attacker targeted the personal Google account of an employee. The hackers obtained the employee’s Cisco credentials via Chrome, which had been configured to sync passwords.

In order to bypass multi-factor authentication (MFA), the attacker used a technique known as MFA fatigue, where they send a high volume of push requests to the target’s mobile device in hopes that they will accept the request either by accident or in an attempt to silence the notifications. The targeted employee also received multiple phone calls over a period of several days, where the caller — claiming to be associated with a support organization — attempted to trick them into handing over information.

The attacker managed to enroll new devices for MFA and authenticated to the Cisco VPN. Once that was achieved, they started dropping remote access and post-exploitation tools. The hackers escalated their privileges, created backdoors for persistence, and moved to other systems in the environment, including Citrix servers and domain controllers.

After the intrusion was detected and the threat actor’s access was terminated, Cisco observed continuous attempts to regain access, but the company says they all failed.

Cisco has attributed the attack to an initial access broker with ties to the threat actor UNC2447, a Russia-linked group known for using FiveHands and HelloKitty ransomware, as well as Lapsus$, the gang that targeted several major companies before its alleged members were identified by law enforcement. The initial access broker has also been linked to the Yanluowang ransomware gang.

In fact, the Yanluowang ransomware group has taken credit for the attack, claiming to have stolen roughly 3,000 files with a total size of 2.8Gb. The file names published by the hackers suggest that they have stolen VPN clients, source code, NDAs and other documents.

“Cisco did not identify any impact to our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations,” Cisco said.

File-encrypting ransomware was not deployed in the attack. The threat actor did send emails to Cisco executives after being removed from its systems, but it “did not make any specific threats or extortion demands”.

Symantec first wrote about the Yanluowang ransomware in October 2021, when the malware appeared to be in development. A few weeks later, the company reported seeing the ransomware being used to target financial corporations in the United States.

Related: Power Electronics Manufacturer Semikron Targeted in Ransomware Attack

Related: Healthcare Technology Provider Omnicell Discloses Ransomware Attack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...