Version 1.1: September 11, 2022
September 11, 2022: Update
On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed.
Our previous analysis of this incident remains unchanged—we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.
On May 24, 2022, Cisco identified a security incident targeting Cisco corporate IT infrastructure, and we took immediate action to contain and eradicate the bad actors. In addition, we have taken steps to remediate the impact of the incident and further harden our IT environment. No ransomware has been observed or deployed and Cisco has successfully blocked attempts to access Cisco’s network since discovering the incident.
Cisco did not identify any impact to our business as a result of this incident, including no impact to any Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property, or supply chain operations. On August 10 the bad actors published a list of files from this security incident to the dark web.
Every cybersecurity incident is an opportunity to learn, strengthen our resilience, and help the wider security community. Cisco has updated its security products with intelligence gained from observing the bad actor’s techniques, shared Indicators of Compromise (IOCs) with other parties, reached out to law enforcement and other partners, and is sharing further technical details via a Talos blog to help cyber defenders learn from our observations.
The following resource provides further detail about this security incident.
Cisco experienced a security incident on our corporate network in late May 2022, and we immediately took action to contain and eradicate the bad actors. Cisco did not identify any impact to our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations. On August 10 the bad actors published a list of files from this security incident to the dark web. We have also implemented additional measures to enhance the security our systems and are sharing technical details to help protect the wider security community.
Q: Is customer/partner or other sensitive data exposed as a result of this issue?
The incident was contained to the corporate IT environment and Cisco did not identify any impact to any Cisco products or services, sensitive customer data or employee information, Cisco intellectual property, or supply chain operations.
Q: What remediation actions have you taken?
Cisco has extensive IT monitoring and remediation capabilities. We have used these capabilities to implement additional protections, block any unauthorized access attempts, and mitigate the security threat. We are also putting additional emphasis on employee cybersecurity hygiene and best practices to avoid similar instances in the future.
Q: Is customer/partner action required?
No customer/partner action is required for Cisco products or services. Cisco has updated its security products with intelligence gained from observing the bad actor’s techniques, shared Indicators of Compromise (IOCs) with other parties, reached out to law enforcement and other partners, and is sharing further technical details via a Talos blog to help cyber defenders learn from our observations.
Q: Is there an impact to Cisco’s business?
Cisco did not identify any impact to its business as a result of this incident.
Q: Why is Cisco disclosing this security incident now?
On August 10 the bad actors published a list of files from this security incident to the dark web. Prior to this disclosure, Cisco has been actively collecting information about the bad actor to help protect the security community.
Cisco customers or partners with questions related to Cisco products are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.