Keypoints
- IntelBroker announced an alleged breach of Cisco on October 14, 2024, claiming the intrusion began on October 6 and offering data for sale.
- The actor asserted they accessed a wide range of materials, including source code, hard-coded credentials, certificates, API tokens, and cloud storage buckets.
- Cisco stated its core systems were not compromised, attributing the exposed data to a public-facing DevHub environment and temporarily disabling access.
- Cisco engaged law enforcement and conducted an investigation, reporting no evidence of sensitive PII or financial data being exposed.
- IntelBroker claimed they maintained access for up to 12 days until Cisco revoked remaining access on October 18.
- IntelBroker is a prominent BreachForums admin with a history of alleged breaches against high-profile organizations and ties to other cybercriminal groups.
MITRE Techniques
- [T1078] Valid Accounts – Use of stolen credentials to gain access to systems. (‘Use of stolen credentials to gain access to systems.’)
- [T1190] Exploitation of Public-Facing Applications – Exploiting vulnerabilities in internet-facing services to obtain unauthorized access. (‘Exploitation of vulnerabilities in public-facing applications to gain unauthorized access.’)
- [T1041] Exfiltration Over C2 Channel (Data Exfiltration) – Transferring sensitive data from compromised systems to external locations. (‘Transfer of sensitive data from compromised systems to external locations.’)
- [T1003] Credential Dumping – Extracting account login credentials from operating systems and applications. (‘Obtaining account login credentials from operating systems and software.’)
Indicators of Compromise
- [Repository/Project] Alleged stolen code and projects – GitHub projects, GitLab projects (claimed Cisco-related repositories)
- [Code Analysis Artifacts] Exposed code review or quality tools – SonarQube projects, Docker builds
- [Credentials/Tokens] Hard-coded or leaked credentials and tokens – API tokens, hard-coded credentials (and other credential types)
- [Cloud Storage] Exposed cloud resources – AWS private buckets, Azure Storage buckets
- [Certificates & Keys] Sensitive cryptographic material – SSL certificates, private & public keys
- [Internal Records] Internal tracking and customer artifacts – Jira tickets, Cisco confidential documents (and screenshots of management interfaces)
Rewritten article
On October 14, 2024, IntelBroker — a well-known actor on underground forums and the current administrator of BreachForums — posted claims that they had breached Cisco Systems. According to the actor, the intrusion began on October 6, and the alleged haul included source code, internal documents, hard-coded credentials, certificates, API tokens, cloud storage buckets, Docker builds, and other artifacts. IntelBroker also offered portions of the data for sale and supplied screenshots that purported to show access to management consoles, internal files, and customer information.
Cisco moved quickly to address the public claims. In an October 15 statement titled “Cisco Event Response: Reports of Security Incident,” the company said it was investigating allegations that an unauthorized actor claimed access to certain Cisco and customer data, had engaged law enforcement, and had found no evidence of core systems being impacted. In a follow-up on October 18, Cisco clarified its findings, saying the files in question were located in a public-facing DevHub environment used to share code and scripts with the community, that it had not observed sensitive PII or financial data among the exposed items, and that access to DevHub had been temporarily disabled to reduce risk while the investigation continued.
IntelBroker amplified their claims on social media while criticizing Cisco’s public response. The actor asserted on BreachForums that the intrusion dated to October 6 and then used Twitter posts to claim they maintained access through October 18 — a span IntelBroker described as approximately 12 days inside. On October 18 IntelBroker said Cisco had revoked remaining access by shutting down Docker, Maven Hub, and SSH entry points. Those messages appear intended both to pressure Cisco publicly and to bolster IntelBroker’s standing in the cybercriminal community.
The incident fits a broader pattern tied to IntelBroker’s activities. Emerging in late 2022 and gaining notable attention in 2023, the actor has been associated with a series of alleged breaches involving high-profile targets such as Weee Grocery Service, Europol, Autotrader, Volvo, Hilton Hotels, and AT&T, although not every claim has been independently verified. In May 2024 IntelBroker rose to an administrative role on BreachForums after leadership disruptions that included law enforcement’s arrest of the prior admin. The actor has also been linked to a racially named cybercrime group referenced in reporting, and in August 2024 reportedly helped revive activity among several prolific underground operators.
This event highlights ongoing tensions between public assertions from threat actors and the investigative, containment, and disclosure processes undertaken by targeted organizations. Cisco’s public statements emphasize that investigators did not find evidence of a compromise of core systems and that the files of concern were associated with a public DevHub resource; IntelBroker’s posts, screenshots, and claims of extended access, however, underscore how threat actors use both technical access and public messaging to create reputational pressure. Cisco’s engagement with law enforcement and its temporary measures to disable DevHub access reflect steps commonly taken to validate claims, contain potential exposure, and protect customers while a deeper forensic review proceeds.
As with many incidents originating on underground forums, independent verification of the full extent of any access or data exposure is challenging. Organizations are advised to treat the situation as an active investigation, to review public-facing code repositories and developer portals for unintended data exposures, and to monitor for related indicators such as leaked credentials, exposed cloud buckets, or copies of internal artifacts appearing in illicit marketplaces. For their part, vendors and service providers should continue coordinating with law enforcement and affected customers and communicate findings transparently as investigations yield confirmed results.
Read more: https://socradar.io/intelbrokers-alleged-cisco-breach-a-deep-dive-into-the-claims-and-responses/