Cisco data breach: Hackers accessed to source code

Cisco recently confirmed that it is investigating reports of a major data breach. The claims surfaced after a known hacker group, IntelBroker, alleged that they had gained unauthorized access to Cisco’s systems. In a post on a cybercrime forum, IntelBroker detailed that they breached Cisco on June 10, 2024, stealing a significant amount of data, which reportedly includes source code, internal Cisco documents, and confidential customer data.

Who is behind the Cisco data breach?

A Cisco spokesperson shared a statement with BleepingComputer, saying, “Cisco is aware of reports that an actor is alleging to have gained access to certain Cisco-related files. We have launched an investigation to assess this claim, and our investigation is ongoing.” This public statement highlights Cisco’s cautious approach while confirming that an investigation is indeed underway. The spokesperson, however, did not reveal specific details regarding the nature or extent of the alleged breach.

The data was allegedly stolen from a third-party managed services provider involved with Cisco’s software development and DevOps services

IntelBroker claimed that they collaborated with two other individuals, identified as EnergyWeaponUser and “zjj,” to gain access to Cisco’s systems. The compromised data includes projects from GitHub, GitLab, and SonarQube, along with hard-coded credentials, SSL certificates, AWS and Azure storage buckets, API tokens, and much more. The threat actor also posted samples of the stolen data, which include screenshots of various customer management portals, a database, and internal Cisco documentation.

The data was allegedly stolen from a third-party managed services provider involved with Cisco’s software development and DevOps services. Sources indicate that this same vendor has faced breaches involving other major companies, including T-Mobile and Apple. However, it remains unclear whether this third-party provider was also the cause of Cisco’s recent issues.

What data was allegedly compromised?

IntelBroker’s post outlines a wide range of information that was purportedly stolen. According to the threat actor, the compromised data includes development projects hosted on platforms like GitHub, GitLab, and SonarQube, which are critical for Cisco’s software development processes. Additionally, the hackers claim to have obtained hard-coded credentials embedded within the source code, which could potentially provide unauthorized access to other parts of Cisco’s systems. Security certificates, including SSL certificates and both public and private encryption keys, were also reportedly compromised, posing a serious risk to secure communications within Cisco’s network.

The stolen data also includes internal documents labeled as “Cisco Confidential,” which may contain sensitive operational information. Furthermore, the hackers claim to have gained access to API tokens and cloud storage data, including AWS private buckets and Azure storage buckets. These assets could be exploited to gain unauthorized access to crucial systems. Other sensitive items listed include Docker builds, Jira tickets, and details related to Cisco’s premium products.

Cisco recently confirmed that it is investigating reports of a major data breach (Image credit) Potentially affected companies

IntelBroker claims that numerous high-profile corporations could be impacted by the breach. The alleged victims span across multiple industries, including telecommunications, finance, and technology, raising concerns about the potential exposure of critical assets. Telecommunications firms like Verizon, AT&T (in both the USA and Mexico), British Telecom, Vodafone (in Albania and Australia), and T-Mobile (in the USA and Poland) have been named among the potential victims. In the financial sector, major entities such as Bank of America, Barclays, and National Australian Bank are reportedly affected. Additionally, technology and health organizations, including Microsoft, Liberty Global, and Dignity Health, are also listed as victims of the alleged breach.

IntelBroker claims that numerous high-profile corporations could be impacted by the breach (Image credit)

While these claims have yet to be verified, the involvement of such high-profile organizations has generated considerable concern. The scope of potentially compromised data presents serious risks not only for Cisco but also for the affected companies and their clients.

IntelBroker has offered the stolen data for sale on a well-known hacking forum. According to their post, the data is available for purchase using Monero (XMR), a cryptocurrency popular for its privacy features. The hacker has also expressed a willingness to use a middleman for the transaction, which is a common practice among cybercriminals aiming to ensure anonymity during the sale process. By using a cryptocurrency like Monero and offering to use a middleman, IntelBroker is attempting to make it difficult for law enforcement to track both the seller and the potential buyer.

The data reportedly being offered for sale includes sensitive information, such as certificates, API tokens, and credentials that could be used to access Cisco’s systems or that of its clients. The hacker group’s tactics follow a broader trend in which cybercriminals often monetize stolen data through underground forums, sometimes even selling it to competing firms or nation-states.

Consequences of the Cisco data breach

The consequences of a confirmed data breach on Cisco could be significant, both in terms of financial losses and reputational damage. Data breaches often result in negative publicity, reduced customer trust, and a decline in the company’s market value, all of which could potentially affect Cisco’s bottom line. Indeed, shares of Cisco Systems saw a slight decline after news of the alleged breach was made public. HackManac posted details about the breach on the social platform X (formerly Twitter), leading to shares dropping $0.30 to $53.95 during afternoon trading.