In October, the infamous hacker IntelBroker claimed to have infiltrated Cisco’s systems, gaining access to source code, certificates, credentials, confidential documents, encryption keys, and other sensitive information. The hacker alleged that the obtained source code was linked to several major companies.
However, Cisco’s investigation determined that its systems were not breached. Instead, the data was accessed from a public-facing DevHub environment, a resource hub where customers can download source code, scripts, and other materials. While most of the content on the DevHub was public, Cisco acknowledged that some files, intended to remain private, were mistakenly made accessible due to a configuration error. Among the accessed files were materials related to certain CX Professional Services customers.
Initially, Cisco stated there was no evidence that confidential or sensitive personal information had been compromised. However, this statement has since been removed from their incident reports.
In an effort to validate their claims and attract buyers for the remaining data, IntelBroker released a portion of the dataset. The 2.9GB leak reportedly contains sensitive components, including:
- Cisco ISE (Identity Services Engine): Network access control and identity management.
- Cisco SASE (Secure Access Service Edge): Cloud-based secure networking and access solutions.
- Cisco Webex: Collaboration tools for video conferencing and messaging.
- Cisco Umbrella: DNS security platform to block malicious domains.
- Cisco IOS XE & XR: Operating systems for advanced network programmability.
- Cisco C9800-SW-iosxe-wlc.16.11.01: Wireless LAN Controller software for Catalyst platforms.
A screenshot shared on Breach Forums highlights the leaked files and IntelBroker’s claims, adding credibility to the incident.
The hacker further claimed to have downloaded 4.5 TB of data from the DevHub. IntelBroker previously asserted that a total of 800 GB of files were acquired, though the hacker is known for exaggerating such claims.
Recommended by LinkedIn
Following IntelBroker’s latest leak, Cisco stated on Tuesday that it is aware of the hacker’s claims and believes the referenced files match those identified in their prior investigation.
“As noted in earlier updates, we remain confident that our systems were not breached. Furthermore, we have found no information in the leaked content that could have been used to access our production or enterprise environments,” Cisco emphasized.
IntelBroker is a threat actor known for orchestrating high-profile data breaches targeting companies like Apple, Zscaler, and Facebook Marketplace. They have a reputation for selling access to compromised systems and data on underground forums like BreachForums. IntelBroker has claimed responsibility for breaches involving government agencies such as Europol, the U.S. Department of Transportation, and the Pentagon, leaking sensitive information and classified documents. The actor has been linked to breaches at companies like Acuity, General Electric, and Home Depot, showcasing a pattern of targeting critical infrastructure and major corporations.