IntelBroker, a notorious hacker group based in Serbia, has a history of breaching the servers of major companies like Apple Inc., Facebook Marketplace, AMD, and Zscaler. Recently, they released approximately 2.9 GB of data, claiming it to be from Cisco’s Cloud Instance.
In October of this year, IntelBroker made a bold statement, alleging that they had unlawfully accessed Cisco’s DevHub Instance and stolen around 4TB of data. This stolen information reportedly included sensitive materials such as SASE certificates, source code, Identity Services Engine details, WebEx product information, credentials, confidential documents, and encryption keys.
Upon investigation, Cisco initially denied any theft, asserting that no information had been taken from their servers, and labeled the hacker’s claims as false. However, within two weeks, Cisco removed this statement without providing any additional clarification.
By December, Cisco revised its response, confirming that some of the stolen data was intended for public access and was part of an open-source initiative. Nevertheless, they acknowledged that certain datasets contained sensitive information that should not have been exposed to the public or accessed by unauthorized parties.
Given this admission, it seems Intel Broker’s claims were accurate. The stolen data is now being sold on the dark web, and the group that purchased it is reportedly reselling the information for profit.
IntelBroker is believed to be connected to an Iranian Persistent Threat Group and operates a cyber-leak forum called BreachForums, which has become a hub for data leaks from over 400 organizations across the globe. This criminal group is known for stealing credentials and targeting public-facing applications like cloud instances. They generate revenue through ransom demands, selling data on BreachForums, and offering malware as a service.
In 2023-2024, IntelBroker’s gang developed the Endurance Ransomware and recently made its source code public on GitHub. This file-encrypting malware is designed to overwrite targeted files, then erase the originals. The ransomware now incorporates Shamoon, a destructive data-wiping software. When a system is infected, the victim is left with little choice but to pay the ransom, as even backup systems are compromised by Endurance ransomware.