Cisco confirms leaked data was stolen in Yanluowang ransomware hit

Internal Cisco data leaked late last week by the China-based Yanluowang ransomware operation has been confirmed as stolen during a cyber attack earlier in 2022, but has insisted the leak poses no risk to its business, supply chain operations or customers.

The attack took place in May, but Cisco initially disclosed it on 10 August 2022 after its name appeared for the first time on Yanluowang’s dark web leak site.

At the time, it said, the attacker was likely an initial access broker (IAB) with links to a threat actor tracked as UNC2447, the Yanluowang crew, and the Lapsus$ group that attacked multiple tech firms at the start of the year.

They likely gained access after successfully phishing a Cisco employee who had stored their credentials in their personal Google account.

Ultimately, the attacker exfiltrated the contents of a Box folder associated with the compromised employee’s account, and employee authentication data from Active Directory.

In an update delivered on 11 September, Cisco’s threat intelligence unit Talos said: “On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed. 

They continued: “Our previous analysis of this incident remains unchanged – we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”

According to Bleeping Computer, however, the Yanluowang gang claims it has stolen 55GB of data including classified documents, technical information, and – critically – source code, although this is unconfirmed.

Chris Hauk, consumer privacy champion at Pixel Privacy, commented: “While this is definitely a case of ‘We said, they said’, when it comes to this data breach, Cisco customers and employees should treat this breach as if the bad actors do have access to all of the data they claim to have stolen.

“That means they should be alert for phishing schemes using the possibly purloined data, while also policing their login information, making sure they have not reused their passwords anywhere.”

A comparative rarity on the cyber criminal scene given the dominance of Russian-speaking ransomware gangs, Yanluowang was first identified in late 2021 by Symantec’s Threat Hunter team, however, it seems to have been operational since at least August 2021.

It appears to be chiefly interested in organisations operating in the financial sector, but it has also targeted those specialising in consultancy, engineering, IT services and manufacturing.

According to Symantec, it uses a number of tactics, techniques and procedures (TTPs) that are associated with the Thieflock ransomware-as-a-service (RaaS) operation, possibly suggesting the presence or influence of an affiliate.

In April 2022, researchers at Kaspersky were able to crack the ransomware’s encryption after finding a flaw in its RSA-1024 asymmetric encryption algorithm, and subsequently made a free decryptor available for victims.