Cisco admits corporate network compromised by gang with links to Lapsus$

Cisco disclosed on Wednesday that its corporate network was accessed by cyber-criminals in May after an employee’s personal Google account was compromised – an act a ransomware gang named “Yanluowang” has now claimed as its work.

A Cisco statement asserts the company “Did not identify any impact to [its] business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”

Cisco Security Incident Response and the company’s cybersecurity intelligent group Cisco Talos specified the only successful data exfiltration was from an account with cloud storage locker Box that was associated with a compromised employee’s account.

The attacker did manage to spend some time inside Cisco’s IT. According to Talos’s post, the attacker obtained access to Cisco networks, enrolled a series of devices for MFA and authenticated successfully to the Cisco VPN. The attacker “Then escalated to administrative privileges, allowing them to login to multiple systems.” That action alerted the Cisco Security Incident Response Team, which swooped in with “Extensive IT monitoring and remediation capabilities” to “Implement additional protections, block any unauthorized access attempts, and mitigate the security threat.” Efforts were also made to improve “Employee cybersecurity hygiene.”

The attacker then employed voice-phishing techniques that saw operatives call using various accents and posing as various trusted organizations, seeking to help the Cisco staffer, until he or she cracked and accepted a bogus MFA notification that gave the hackers access to the VPN. Once inside, they spread laterally to Citrix servers – eventually obtaining privileged access to domain controllers.

The attacker then attempted to establish email communication with Cisco execs, showing off directory listings of their loot – an alleged 2.75GB of data containing around 3,700 files – and suggesting Cisco could pay to avoid disclosure.

Share this article on social media:

Subscribe to Our Newsletter!
Stay on top of cybersecurity risks, evolving threats and industry news.
This field is for validation purposes and should be left unchanged.

The Latest Cybersecurity News

From major cyberattacks, newly discovered critical vulnerabilities to recommended best practices, read it here first:

Tell us About your Needs
Get an Answer the Same Business Day

Got an urgent request? Call us at 1-877-805-7475 or Book a meeting.

What happens next:

A Vumetric expert will contact you to learn more about your cybersecurity needs and goals.

The project's scope will be defined (Target environment, deadlines, requirements, etc.)

A detailed quote including all-inclusive pricing and statement of work is sent to you.

This field is for validation purposes and should be left unchanged.


Everything You Need to Know

Gain confidence in your future cybersecurity assessments by learning to effectively plan, scope and execute projects.


Enter your Email Address

This field is for validation purposes and should be left unchanged.

* No free email provider (e.g:,, etc.)

This site is registered on as a development site. Switch to a production site key to remove this banner.