Share this article on:
A hacker has repeatedly attempted to gain access to the Cisco Systems’ corporate network.
The Silicon Valley firm became aware of a potential compromise on 24 May and disclosed it on 10 August after the hacker leaked a list of the files it had stolen on the dark web.
In a blog post published on Wednesday, Cisco disclosed the hacker broke into its network by cracking into an employee's personal Google account, which synchronised their saved passwords across the web.
The attacker then successfully persuaded the employee to accept a multi-factor push authentication notification to their device, by pretending to be a trusted organisation over phone calls.
An investigation determined that the hacker was able to gain access to Cisco's network using the employee's credentials.
According to the Cisco blog, the company had "not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc."
"The only successful data exfiltration that occurred during the attack included the contents of a Box folder that was associated with a compromised employee’s account. The data obtained by the adversary in this case was not sensitive," the company added.
Cisco also disclosed that it found evidence the hacker was preparing to encrypt files but hadn't managed to do so before they were detected and booted out. After the attack had been evicted, repeated attempts to regain access followed but to no avail.
Investigators believe that the attack was conducted by an adversary who has previously been identified as an initial access broker for several notorious cyber crime groups: UNC2447, Lapsus$ and Yanluowang ransomware operators. Initial access brokers attempt to gain privileged access to corporate computer networks and then sell it to other hackers.
According to Mandiant's research last year, UNC2447 is an "aggressive financially motivated group" that has targeted organisations with ransomware in Europe and North America.
The Lapsus$ group was accused of going on a rampage of high-profile attacks against technology companies including Okta Inc, Microsoft Corp and Nvidia Corp. Yanluowang, named after a Chinese deity, is a ransomware variant that has been used against US corporations since August 2021, according to Symantec.
A Bloomberg News report has suggested that the suspected mastermind was a 16-year-old British teenager living at his mother's home.
[Related: NSW government and Microsoft set to bolster public cloud]