Summary
The threat actor known as Intel Broker has allegedly claimed responsibility for a major data breach at technology firm Cisco, stealing sensitive information, including source codes, credentials, and confidential documents. The breach allegedly occurred on October 6 or June 10, 2024, depending on date format, with Intel Broker announcing the theft on Breach Forums on October 14, 2024. Among the stolen assets are source code from GitHub, GitLab, and SonarQube, hard-coded credentials, SSL certificates, public and private keys, API tokens, and internal documents marked “Cisco Confidential”. The breach claims to impact major global firms, with production source codes from Verizon, Bank of America, Barclays, and several other large firms being exposed by the alleged breach.
Cisco has confirmed to media entities that it is investigating recent claims by Intel Broker and an investigation is ongoing. RH-ISAC will update this alert with new information as it is available.
Community Response
Intel Broker is well-known for high-profile cyberattacks, having previously targeted Apple, AMD, Europol, and other organizations in 2024. Intel Broker has a history of breaching major corporations, further highlighting the cybersecurity challenges faced by even the largest tech companies. As more information about the Cisco breach unfolds, the potential damage and fallout will be closely monitored by the RH-ISAC Intelligence Team.
RH-ISAC Members are advised to monitor existing relationships with Cisco and continuously monitor RH-ISAC and third-party intelligence alerts as the Cisco investigation develops.
Background
Intel Broker, along with entities EnergyWeaponUser and zjj, is offering the alleged stolen Cisco data for sale in exchange for the privacy-focused cryptocurrency Monero (XMR), using a middleman to facilitate transactions to avoid identification by law enforcement entities.
A screenshot of the selling post for Cisco is available below:
Intel Broker shared samples of the alleged stolen data, including a database, customer information, various customer documentation, and screenshots of customer management portals. However, the threat actor did not provide further details about how the data was obtained.