Cisco confirms 'ongoing investigation' after crims brag about selling tons of data

UPDATED Cisco has confirmed it is investigating claims of stealing — and now selling — data belonging to the networking giant.

This allegedly includes a ton of sensitive Switchzilla files, according to prolific extortionist IntelBroker — the moniker for one of several cyber criminals who allegedly own and operate BreachForums. 

On Monday, the data thief bragged about recently breaching Cisco with some help from a couple of other scumbag friends, and offered for sale on the darkweb souk a laundry list of private Cisco data: GitHub and GitLab projects, SonarQube projects, source code, hardcoded credentials, confidential documents, Jira tickets, API tokens, AWS private buckets, Docker builds, Azure storage buckets, private and public keys, SSL certificates, and product information. 

The Register reached out to Cisco to confirm the breach, and a spokesperson sent us the following statement via email:

The spokesperson declined to answer specific questions about the alleged intrusion, including when it happened (if it happened at all). 

IntelBroker, which claimed to be working with two other digital intruders who go by EnergyWeaponUser and zjj, said the breach happened June 10. IntelBroker and EnergyWeaponUser also purportedly worked together to steal and sell AMD internal communications back in August.

In the most recent Cisco heist, the trio claimed to have scooped up a ton of major customers' source code — but, keep in mind, this is the word of a criminal, so we are not suggesting it's necessarily true. The Register has not verified the allegedly stolen files.

• Big brands among thousands infected by payment-card-stealing CosmicSting crooks
• AMD internal data reportedly offered for sale
• Mega money, unfathomable violence pervade thriving underground doxxing scene
• Crook brags about US Army and $75B defense biz pwnage

The dozens of companies that IntelBroker lists among those affected include AT&T, Verizon, T-Mobile US, Chevron, Microsoft, Vodafone and SAP, among many others. The Register reached out to the named orgs. We didn't immediately hear back from anyone except for SAP.

"SAP is aware of the recent post on BreachForum Dark Web regarding the Cisco Data Breach from June 10, 2024 and our security experts are collaborating with business partners to investigate these claims," a spokesperson said. "The investigation is ongoing."

Another alleged victim on the BreachForums' list said there's "no evidence" that the crooks nabbed anything from them in the supposed data heist.

It's unclear if this latest break-in is related to a September CosmicSting attack during which criminals compromised Cisco's Magento-based merch site. At the time, a Cisco spokesperson told us the flaw had since been fixed, "the issue impacted only a limited number of site users, and those users have been notified. No credentials were compromised."

Regardless of if the crooks' boasts turn out to be true, we have to assume that IntelBroker has painted a very large target on their back by now after also purporting to peddle sensitive info belonging to AMD, the US Army Aviation and Missile Command, Europol, the Pentagon and other national security agencies. ®

UPDATED AT 22:00 UTC October 16th

Cisco has sent The Reg the following statement:

“Cisco is investigating reports that an unauthorized actor is alleging to have gained access to certain Cisco data and data of our customers. Cisco takes this allegation seriously and we have engaged law enforcement as part of this investigation. To date, our investigation has found no evidence of our systems being impacted. We will notify customers where we confirm that the actor has obtained their confidential information. Customers with concerns can contact PSIRT@cisco.com.”