Cisco Data Breach Shakes The Tech World - Talion

Multinational technology conglomerate Cisco recently got hit with a data breach by ransomware gang Yanluowang who publicised a list of company files – proof that no organisation, no matter how large, is safe.

Whilst the details of the event are only now unravelling, the origin of it all began in May.

Here’s an insider scoop of what happened and who is really telling the truth.


What Happened To Cisco In May?

Before the Yanluowang ransomware gang went public with Cisco’s files in August, there was talk of an initial hack in May – this was the beginning of the saga.

Talos Intelligence Group confirmed through a blog post that Cisco were first aware of a potential compromise on May 24th, although it was kept under wraps. This led to a confirmed data breach which was continually investigated by the CISCO Security Incident Response (CSIRT) team.

There have been suspicions raised by security leaders that Yanluowang is linked to “Evil Corp” (UNC2165) and FiveHands ransomware (UNC2447) since the Tactics, Techniques and Procedures (TTPs) of the attack closely mirror one another, including infrastructure that matches a Conti ransomware affiliate which has been seen deploying Hive and Yanluowang ransomware payloads before.

However, it seems the evidence is still unclear and there is room for debate.




Yanluowang Ransomware Gang Leak Data From Cisco Cyberattack

Fast forward to the present moment and the public are well aware of the data breach that’s gone down.

Yanluowang, who have likely chosen their name by referencing Yanluo Wang (a Chinese deity who was said to be one of the Kings of Hell), have shared their Cisco point of access – an employee’s VPN account. The hacker gained control of a personal Google account, accessed the credentials saved in the victim’s browser and through a series of sophisticated voice phishing attacks, under the guise of various trusted organisations, convinced the victim to accept multi-factor authentication (MFA) push notifications which granted the attacker access to the VPN.

After this, the attacker was able to do all sorts of damage:

  • They enrolled a series of new devices for MFA, authenticated successfully to the Cisco VPN
  • With these higher administrative privileges, the attacker was able to login to multiple systems
  • A variety of tools were dropped, including remote access tools like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz and Impacket, including adding their own backdoor accounts

Whilst Cisco initiated a company-wide password reset and the attacker was successfully removed, they repeatedly attempted to regain access in the following weeks. However, this was of no such success.


How Sensitive Are We Talking?

So, what happens when a ransomware gang says one thing, and the targeted company say another?

It’s hard to know what’s really going on.

According to Yanluowang, they’ve stolen thousands of Cisco’s files amounting to 55GB, including classified documents, technical schematics and source code. However, this is a big claim to make with very little evidence.

Cisco, on the other hand, have publicly announced that the stolen data was completely non-sensitive and the attack was contained well before Yanluowang had the chance to start encrypting systems.

“We have no evidence to suggest the actor accessed Cisco produce source or any substantial access beyond what we have already publicly disclosed.” – Cisco

As a result, Cisco are running as usual with no impact to the business, which would be hard to do if Yanluowang had indeed stolen their sensitive files.

It is likely Yanluowang are, therefore, exaggerating the result of the cyberattack, perhaps in order to damage the reputation of Cisco or create a sense of mistrust amongst their customers.




We’d like to highlight the importance of companies speaking up about their challenges with ransomware – it is only with public acknowledgement and sharing of resources that the fight against ransomware will get easier.

There are a number of ways companies can tackle the challenges within their security strategy, from moving past reliance on legacy solutions (which can’t keep up with today’s advanced hacker techniques), improving awareness and visibility internally amongst employees and looking to outsource security services to ease the burden of alerts within security teams.

Evaluate your current processes and find what works best for you.

Reach out to us if you’d like to have a further chat – you can contact us here.


Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
24x7x365 UK-based Security Operations Centre
Service underpinned by market leading threat intelligence team
Continually developed threat relevant content, backed by SLAs
MDR service has featured in the Gartner Magic Quadrant for 6 consecutive years
Experts in SIEM and SOAR technology
UK-based Senior Leadership
Looking to maximise value and flexibility?
Learn how Talion and DEVO partner to achieve this.
Discuss your cyber security needs
Contact us below and one of our team will be in touch to answer your questions.

Call us on 0800 048 5775

Call us directly and we’ll put you in touch with the most relevant cyber expert.

Get In Touch With Us

Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.

CISO Cyber Dinner – Register Your Interest!

Thought-provoking cyber security discussion at Michelin-star restaurants across the UK.