← All insights
Threats

Cisco Breached Data Posted on Dark Web Forums

Executive Summary

A confirmed breach at Cisco was disclosed on dark web forums on October 14th by threat actors IntelBroker, “EnergyWeaponUser,” and “zjj.” The company confirmed the breach occurred on October 6th.

Key Details

  • The threat actors claimed access to: “Github projects, Gitlab Projects, SonarQube projects, Source code, hard coded credentials, Certificates, Customer SRCs, Cisco Confidential Documents, Jira tickets, API tokens, AWS Private buckets, Cisco Technology SRCs, Docker Builds, Azure Storage buckets, Private & Public keys, SSL Certificates, Cisco Premium Products & More!”
  • Initial reports suggest a third-party vendor providing DevOps and software development support may have been the compromise vector.
  • This represents Cisco’s second breach in 2024. The earlier incident involved China-attributed actor Velvet Ant exploiting CVE-2024-20399. The relationship between the two breaches remains unclear.

Mitigations

  • Apply the latest Cisco product patches and fixes, while examining any updates deployed after October 6th for suspicious activity.
  • Implement increased monitoring on all Cisco devices to detect suspicious behavior or traffic.
  • Anticipate further attacks leveraging stolen materials; maintain long-term heightened scrutiny with isolation and containment procedures.
  • Rotate credentials for device management, service accounts, and representative accounts; enforce MFA across all accounts.
  • Rotate credentials and access keys for any Cisco cloud assets to prevent unauthorized access.

Analyst comments

Given the scope of stolen data, future exploitation and backdoor creation targeting Cisco devices appears probable. Software update vectors may also be compromised. Implement rigorous vetting and testing of Cisco product updates in isolated staging environments before deployment. Extended monitoring remains warranted due to source code theft potentially enabling threat actors to discover additional vulnerabilities. Users should reissue credentials and access keys for Cisco cloud products.

More in Threats
The Sandworm in Your DependenciesDec 1, 2025 · 5 minFinancial Services Threat BriefingJun 10, 2025 · 2 minIIoT and OT Cybersecurity: The Next Battleground for Cyber AdversariesFeb 16, 2025 · 5 min
Talk to an expert