Cisco recently confirmed that it is investigating reports of a major data breach. The claims surfaced after a known hacker group, IntelBroker, alleged that they had gained unauthorized access to Cisco’s systems. In a post on a cybercrime forum, IntelBroker detailed that they breached Cisco on June 10, 2024, stealing a significant amount of data, which reportedly includes source code, internal Cisco documents, and confidential customer data.
Who is behind the Cisco data breach?
A Cisco spokesperson shared a statement with BleepingComputer, saying, “Cisco is aware of reports that an actor is alleging to have gained access to certain Cisco-related files. We have launched an investigation to assess this claim, and our investigation is ongoing.” This public statement highlights Cisco’s cautious approach while confirming that an investigation is indeed underway. The spokesperson, however, did not reveal specific details regarding the nature or extent of the alleged breach.
IntelBroker claimed that they collaborated with two other individuals, identified as EnergyWeaponUser and “zjj,” to gain access to Cisco’s systems. The compromised data includes projects from GitHub, GitLab, and SonarQube, along with hard-coded credentials, SSL certificates, AWS and Azure storage buckets, API tokens, and much more. The threat actor also posted samples of the stolen data, which include screenshots of various customer management portals, a database, and internal Cisco documentation.
The data was allegedly stolen from a third-party managed services provider involved with Cisco’s software development and DevOps services. Sources indicate that this same vendor has faced breaches involving other major companies, including T-Mobile and Apple. However, it remains unclear whether this third-party provider was also the cause of Cisco’s recent issues.
What data was allegedly compromised?
IntelBroker’s post outlines a wide range of information that was purportedly stolen. According to the threat actor, the compromised data includes development projects hosted on platforms like GitHub, GitLab, and SonarQube, which are critical for Cisco’s software development processes. Additionally, the hackers claim to have obtained hard-coded credentials embedded within the source code, which could potentially provide unauthorized access to other parts of Cisco’s systems. Security certificates, including SSL certificates and both public and private encryption keys, were also reportedly compromised, posing a serious risk to secure communications within Cisco’s network.
The stolen data also includes internal documents labeled as “Cisco Confidential,” which may contain sensitive operational information. Furthermore, the hackers claim to have gained access to API tokens and cloud storage data, including AWS private buckets and Azure storage buckets. These assets could be exploited to gain unauthorized access to crucial systems. Other sensitive items listed include Docker builds, Jira tickets, and details related to Cisco’s premium products.
Potentially affected companies
IntelBroker claims that numerous high-profile corporations could be impacted by the breach. The alleged victims span across multiple industries, including telecommunications, finance, and technology, raising concerns about the potential exposure of critical assets. Telecommunications firms like Verizon, AT&T (in both the USA and Mexico), British Telecom, Vodafone (in Albania and Australia), and T-Mobile (in the USA and Poland) have been named among the potential victims. In the financial sector, major entities such as Bank of America, Barclays, and National Australian Bank are reportedly affected. Additionally, technology and health organizations, including Microsoft, Liberty Global, and Dignity Health, are also listed as victims of the alleged breach.
While these claims have yet to be verified, the involvement of such high-profile organizations has generated considerable concern. The scope of potentially compromised data presents serious risks not only for Cisco but also for the affected companies and their clients.
IntelBroker has offered the stolen data for sale on a well-known hacking forum. According to their post, the data is available for purchase using Monero (XMR), a cryptocurrency popular for its privacy features. The hacker has also expressed a willingness to use a middleman for the transaction, which is a common practice among cybercriminals aiming to ensure anonymity during the sale process. By using a cryptocurrency like Monero and offering to use a middleman, IntelBroker is attempting to make it difficult for law enforcement to track both the seller and the potential buyer.
The data reportedly being offered for sale includes sensitive information, such as certificates, API tokens, and credentials that could be used to access Cisco’s systems or that of its clients. The hacker group’s tactics follow a broader trend in which cybercriminals often monetize stolen data through underground forums, sometimes even selling it to competing firms or nation-states.
Consequences of the Cisco data breach
The consequences of a confirmed data breach on Cisco could be significant, both in terms of financial losses and reputational damage. Data breaches often result in negative publicity, reduced customer trust, and a decline in the company’s market value, all of which could potentially affect Cisco’s bottom line. Indeed, shares of Cisco Systems saw a slight decline after news of the alleged breach was made public. HackManac posted details about the breach on the social platform X (formerly Twitter), leading to shares dropping $0.30 to $53.95 during afternoon trading.
🚨Data Breach Alert ‼️
IntelBroker, in collaboration with EnergyWeaponUser and zjj, claims to be selling data from a recent Cisco breach.
The compromised data reportedly includes GitHub and GitLab projects, SonarQube projects, source code, hardcoded credentials, certificates,… pic.twitter.com/b3ZHbLs773
— HackManac (@H4ckManac) October 14, 2024
This decline may reflect investor uncertainty, particularly in light of the extensive claims made by IntelBroker. At the time of writing, according to TradingView data, Cisco’s stock price stands at $54.16, showing some stabilization after the incident.
Cisco’s response so far
Cisco’s response has been measured, providing limited information while confirming that they are actively investigating the claims. This approach could indicate that the company is still working to determine the full extent of any breach that may have occurred. Given the involvement of high-profile corporate clients and the nature of the stolen data, it is likely that Cisco will face considerable pressure to provide a comprehensive public statement once the investigation concludes.
Hackread.com has also reported that it reached out to Cisco for comment but has not yet received a response. If the claims are confirmed, Cisco’s public relations strategy will likely have to address not only the scope of the attack but also provide details on how they intend to mitigate potential future risks.
IntelBroker: A history of data breaches
IntelBroker has a track record of conducting high-profile data breaches. Earlier this year, the hacker group claimed responsibility for breaching several major companies, including T-Mobile, HPE, and AMD. During the attack on Apple in June 2024, IntelBroker claimed to have stolen source code related to the company’s internal tools, whereas in the case of AMD, they allegedly gained access to sensitive employee and product information.
IntelBroker’s increasing prominence in the cybercrime community makes their recent claim against Cisco particularly worrying. While it remains to be seen whether all of the details are accurate, the hacker group’s previous successes lend a level of credibility to the present allegations. Law enforcement agencies, as well as affected companies, are likely monitoring IntelBroker’s activities closely as they seek to understand how these breaches occurred and what could be done to mitigate such risks in the future.
Featured image credit: Cisco
