Cyber Threat Actor: Sudhish Kasaba Ramesh
| Actor Type | Location | Known Incidents |
Insider - Disgruntled
|
India
|
1 incident |
|---|
Profile
Sudhish Kasaba Ramesh, also known by the alias Sudhish Kasaba Ramesh, is an individual who was identified as a former Cisco engineer residing in India. In September 2018, approximately five months after resigning from Cisco, he gained unauthorized access to the company’s cloud infrastructure hosted on Amazon Web Services. During this intrusion he deployed code from his personal Google Cloud Project account that resulted in the deletion of 456 virtual machines supporting Cisco’s WebEx Teams service. The deletion caused more than 16,000 WebEx Teams accounts to be shut down for roughly two weeks, prompting Cisco to incur over $2.4 million in recovery costs and customer refunds. Although the disruption was substantial, investigators confirmed that no customer data was compromised as a result of his actions. Ramesh later pleaded guilty to intentionally accessing a protected computer without authorization and recklessly causing damage, acknowledging that his conduct was reckless and that he ignored the substantial risk of harm. The case highlighted the potential impact of insider threats even after employment has ended and led Cisco to implement additional safeguards to prevent similar incidents.
The only publicly documented tactic associated with Ramesh involves the use of a Google Cloud Project account to execute destructive code against cloud‑hosted virtual machines, indicating a reliance on scripting or automation rather than traditional malware families. Initial access appears to have been achieved through credentials or permissions that remained valid after his resignation, allowing him to connect to Cisco’s AWS environment without needing to exploit vulnerabilities or employ phishing techniques. No evidence links him to any state‑sponsored group, criminal consortium, or broader ideological motive; the available records describe him as an individual acting alone. The Cisco incident remains the sole attributed operation in open sources, serving as a representative example of how former employees with retained access can cause significant service disruption and financial loss. This case is frequently cited in discussions of insider threat mitigation and the importance of promptly revoking access privileges upon employee departure.
