Cisco Systems Inc. disclosed Wednesday that it had been breached by a cyberattack from a hacker associated with a number of well-known cybercrime organizations.
In a blog post, Cisco Talos — the company’s threat-intelligence business — said it became aware of the attack May 24. It said a hacker used a Cisco employee’s credentials and “conducted a series of sophisticated voice phishing attacks,” ultimately gaining access to its corporate network.
Earlier Wednesday, “the bad actors published a list of files from this security incident to the dark web,” Cisco said in a separate statement.
San Jose, Calif.,-based Cisco
said the incident was contained to its corporate IT environment, and did not appear to involve sensitive customer data or private employee information.
“We have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc.,” the company said. “The only successful data exfiltration that occurred during the attack included the contents of a Box folder that was associated with a compromised employee’s account. The data obtained by the adversary in this case was not sensitive.”
Cisco said the hacker was successfully removed, but “displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.”
No ransomware has been observed, and steps have been taken to “further harden” Cisco’s IT environment, the networking giant said.
Cisco said it had confidence the hacker was an initial access broker with ties to the UNC2447 ransomware gang, the Lapsus$ cybercriminal group and Yanluowang ransomware operators. Earlier this year, Lapsus$ targeted systems at Okta Inc.
and Microsoft Corp.
Cisco shares are down 27% year to date, compared to the 8% decline by the Dow Jones Industrial Average
of which it is a component.