Cisco Admits Corporate Network Compromised by Gang with Links to Lapsus$


Thread author
Staff Member
Malware Hunter
Jul 27, 2015
Cisco disclosed on Wednesday that its corporate network was accessed by cyber-criminals in May after an employee's personal Google account was compromised – an act a ransomware gang named "Yanluowang" has now claimed as its work.

The world's largest networking vendor disclosed the months-old compromise after a list of files accessed during the incident appeared on the dark web. A Cisco statement asserts the company "did not identify any impact to [its] business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations." Cisco Security Incident Response (CSIRT) and the company's cybersecurity intelligent group Cisco Talos specified the only successful data exfiltration was from an account with cloud storage locker Box that was associated with a compromised employee's account. But the attacker did manage to spend some time inside Cisco's IT.
Cisco was able to revoke the attacker's access, but that did not discourage them. They tried to re-establish entry multiple times, preying on employees' weak password rotation hygiene. The attacker then attempted to establish email communication with Cisco execs, showing off directory listings of their loot – an alleged 2.75GB of data containing around 3,700 files – and suggesting Cisco could pay to avoid disclosure.

"Based upon artefacts obtained, tactics, techniques, and procedures (TTPs) identified, infrastructure used, and a thorough analysis of the backdoor utilized in this attack, we assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to both UNC2447 and Lapsus$," said Cisco, adding activity was also linked to the Yanluowang ransomware gang. Yanluowang has claimed credit for the breach.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.