Cisco Hack Is Linked to Russian-Speaking Hackers from Evil Corp

Experts from eSentire established that the infrastructure used to hack Cisco in May 2022 was exploited to compromise an unnamed HR solutions company a month earlier.

Researchers believe that malicious actors associated with Evil Corp. are behind these incidents.

Let me remind you that we also said that Cisco Won’t Fix an RCE Vulnerability in Old RV Routers.

Let me remind you that in August 2022, Cisco representatives confirmed that in May, the company’s corporate network was hacked by the Yanluowang extortionist group. Later, the attackers tried to extort money from Cisco, otherwise threatening to publish the data stolen during the attack in the public domain. Then the company emphasized that the hackers managed to steal only non-confidential data from the Box folder associated with the hacked employee account.

eSentire analysts now say that the attack could have been the work of a criminal known as mx1r. It is believed that he is a member of one of the “branches” of the well-known Russian-speaking group Evil Corp (aka UNC2165).

The researchers write that the victim’s network was initially accessed using stolen VPN credentials, and then the attackers used ready-made tools for lateral movement.

With the help of Cobalt Strike, the attackers were able to gain a foothold in the system. They acted quickly from the moment of initial access to the moment when they were able to register their own virtual machine in the victim’s VPN network.the experts say.

Researchers suspect mx1r’s connection with Evil Corp due to the coincidence of a number of attackers’ tactics, Including due to the organization of a kerberoasting attack on the Active Directory service and the use of RDP for promotion in the company’s network.

At the same time, despite these connections, the HiveStrike infrastructure used to organize the attack generally corresponds to the infrastructure of one of the “partners” of the Conti group, which had previously distributed the Hive and Yanluowang ransomware. These hackers eventually published the data stolen from Cisco on their dark web site.

Cisco representatives themselves wrote that the attack was most likely “carried out by an attacker who was previously an initial access broker and had connections with the UNC2447 cybercrime group, the Lapsus$ group, and the Yanluowang ransomware operators.”

These discrepancies don’t seem to bother eSentire analysts in the least:

It seems unlikely (but not impossible) that Conti is providing its infrastructure to Evil Corp. More plausible is that “partner” Evil Corp/UNC2165 may be working with one of Conti’s new subsidiaries. It is also possible that the initial access to the company’s network was provided by a “partner” Evil Corp, but was eventually sold to Hive operators and related entities.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *