In October, IntelBroker claimed to have gained access to Cisco's systems, stealing large amounts of data belonging to the company and its customers.
The threat actor alleged obtaining sensitive information including "Github projects, Gitlab Projects, SonarQube projects, source code, hard-coded credentials, certificates, customer SRCs, Cisco confidential documents, Jira tickets, API tokens, AWS Private buckets, Cisco Technology SRCs, Docker Builds, Azure Storage buckets, Private & Public keys, SSL Certificates, Cisco Premium Products & More!"
Following these claims, Cisco launched an investigation and confirmed that data was indeed exfiltrated. However, the company clarified that its core systems remained unbreached, with the threat actors instead accessing a public-facing DevHub environment due to a configuration error.
Cisco DevHub is a resource center that serves as a central platform for sharing technical content with Cisco's developer community and customers. It's designed to make software code, scripts, templates, and other development resources publicly available for customers and partners working with Cisco technologies.
The platform also enables Cisco to share specific software artifacts with individual customers in a more controlled manner.
In its November 15 security advisory, Cisco acknowledged that certain files were inadvertently published on devhub.cisco.com, though these were not discoverable or indexed by search engines.
Today, to substantiate their claims, IntelBroker released a 2.9GB sample of allegedly stolen data, which they claim includes source code from critical Cisco products such as IOS XE & XR, ISE, SASE, Umbrella, and Webex.
The actor has listed the complete alleged 4.5TB dataset for sale on underground forums.
IntelBroker has previously made headlines for targeting major corporations, often leaking partial datasets as proof while marketing full dumps for sale. While some of their past breaches were confirmed, others showed limited impact, leading security experts to suggest the hacker occasionally exaggerates claims to boost credibility.
In this case, the partial leak of 2.9GB—a fraction of the alleged 4.5TB dataset—has generated both validation and skepticism in the cybersecurity community.
Cisco has since corrected the configuration error and restored public access to DevHub.
The company has aslo directly notified affected CX Professional Services customers and provided them with copies of relevant files.
As the investigation continues, Cisco maintains that no information in the accessed content could have been used to breach their production or enterprise environments.