Cyber Incident Victim: Cisco
Date:
Sep 2018
Location:
United States of America
Summary
A former Cisco engineer unauthorizedly accessed the company's cloud infrastructure months after resigning, deploying malicious code that deleted 456 virtual machines supporting WebEx Teams and caused over 16,000 accounts to be shut down for approximately two weeks. The incident resulted in over $2.4 million in recovery costs and customer refunds, though no customer data was compromised. The individual pleaded guilty to intentionally accessing protected systems without authorization and recklessly causing damage, facing potential imprisonment, fines, and deportation. The company implemented additional safeguards following the breach and confirmed processes to prevent recurrence.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 24, 2018, Sudhish Kasaba Ramesh, a former Cisco engineer who had resigned from the company in April 2018, intentionally accessed Cisco’s cloud infrastructure hosted on Amazon Web Services without authorization. During this unauthorized access, Ramesh deployed malicious code from his Google Cloud Project account targeting Cisco’s WebEx Teams collaboration platform, which provided video conferencing, messaging, and file-sharing services. His actions resulted in the immediate deletion of 456 virtual machines supporting the WebEx Teams application infrastructure. This caused a cascading failure that forced Cisco to shut down over 16,000 WebEx Teams accounts to contain further damage. The accounts remained non-operational for approximately two weeks while restoration efforts were underway. Cisco confirmed no customer data was compromised during the incident, though the disruption severely impacted service availability. Ramesh later admitted in legal proceedings that his actions were reckless and that he consciously disregarded the substantial risk of damage his deletions would cause. The incident was discovered and addressed by Cisco’s internal teams shortly after the attack occurred, with law enforcement involvement initiated by the company.
Cisco incurred over $2,400,000 in direct costs related to customer refunds and employee labor required to restore the deleted virtual machines and affected accounts. The company implemented additional safeguards to prevent similar incidents following a post-incident review. Ramesh was charged with one count of Intentionally Accessing a Protected Computer Without Authorization and Recklessly Causing Damage, pleading guilty in a July 30, 2020 plea agreement. Released on $50,000 bond, he faced a maximum penalty of five years imprisonment and a $250,000 fine at his scheduled December 9, 2020 sentencing hearing. As a non-U.S. citizen on an H1 visa with a pending green card application, Ramesh also risked deportation to India upon conviction despite his employer Stitch Fix’s stated willingness to support his immigration status. Cisco publicly acknowledged law enforcement collaboration in the case and expressed confidence in its updated security processes. Ramesh was no longer employed by Stitch Fix as of September 1, 2020, according to company statements.