Cisco confirms Yanluowang ransomware leaked stolen company data

Cisco has confirmed that the data leaked yesterday by the Yanluowang ransomware gang was stolen from the company network during a cyberattack in May.

However, the company says in an update that the leak does not change the initial assessment that the incident has no impact on the business:

On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed.

Our previous analysis of this incident remains unchanged-we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.

In a report in August, Cisco announced that its network had been breached by the Yanluowang ransomware after the hackers compromised an employee’s VPN account.

According to the company, the stolen data included non-sensitive files from the employee’s Box folder and the attack was contained before Yanluowang ransomware could start encrypting systems.

Hacker claims stealing 55GB of data

The threat actor, however, claimed otherwise. Yanluowang’s leader told BleepingComputer that they stole thousands of files amounting to 55GB and that the cache included classified documents, technical schematics, and source code.

The hacker did not provide any proof, though. They only shared a screenshot indicating access to what appears to be a development system. BleepingComputer could not verify the accuracy of this claim.

When asked for a comment on the matter, Cisco denied the possibility that the intruders had exfiltrated or accessed any source code.

“We have no evidence to suggest the actor accessed Cisco product source code or any substantial access beyond what we have already publicly disclosed,” – Cisco

Late last month, the research team at cybsersecurity company eSentire published a report with evidence that linked Yanluowang, “Evil Corp” (UNC2165), and FiveHands ransomware (UNC2447).