Public Cloud Security Breaches Documenting their mistakes so you don't make them.

Cisco WebEx

Incident Details

Victimized Company:Cisco
Incident Dates:2020-09-24 to 2021-02-10
Disclosure Date:2020-09-24
Current Status:Threat Actor pled guilty.

In September 2018 a former engineer leveraged AWS credentials, left over from his time of employment, which resulted in the deletion of 456 virtual machines for Cisco’s WebEx Teams application. Cisco cited the outage as costing over $2.4M dollars.


Details of the Incident

In September of 2018, a former Cisco Engineer deleted 456 Virtual Machines for Cisco’s WebEx.

The official DOJ Press release states Sudhish Kasaba Ramesh is the person behind the incident. Ramesh was a former engineer for Cisco. Ramesh worked as part of the platform team responsible for automation, logging metrics, and learning. He possessed an access key for the WebEx Application that was maintained by AWS Servers.1

Following his resignation from the company, Ramesh deployed code from his Google Project account, resulting in the deletion of 456 Virtual Machines for Cisco’s WebEx Team Application that allows for video meetings, messaging, file sharing, and more. Over 16,000 WebEx Teams accounts were shut down for 2 weeks causing roughly 2.4 million in damages for Cisco. In his plea, Ramesh states that “he took reckless actions and did not consider the possible risk and consequences it would bring to Cisco”.


Date Event
April 24, 2018 Ramesh resigns from Cisco.
September 24, 2018 Ramesh “used his AWS key to access Cisco’s AWS account that maintained the servers for WebEx through his Google Cloud Platform account. He then issued commands over the course of two hours that deleted approximately 456 servers, resulting in the complete shutdown of the WebEx Teams application.”2
July 13, 2020 Ramesh is charged with one count of Intentionally Accessing a Protected Computer Without Authorization and Recklessly Causing Damage.
July 30, 2020 Ramesh enters a plea agreement citing his accessing Cisco’s cloud infrastructure hosted on AWS without authorization.
August 26, 2020 Ramesh Pleads guilty to one count of intentionally accessing a protected computer unauthorized and causing damage to Cisco.
December 9, 2020 Ramesh is sentenced following his pleading guilty.
February 10, 2021 Ramesh begins his sentence of 24 months in prison, a fine of 15,000$, and another year of supervision following his release.

Attribution / Perpetrator

Per the official DOJ press release, former engineer Sudhish Kasaba Ramesh plead guilty to one charge of_ Intentionally Accessing a Protected Computer Without authorization and Recklessly Causing Damage. He was sentenced to 24 months in prison and must pay a fine of $15,000 in December 2020.

The case study also noted that the FBI identified him as the one responsible after seeing his name registered under the Google Platform account and the credit card used to pay for it. Ramesh also used his work laptop at the same IP Address from where the attack was launched._

Long-term impact

Cisco had to pay out $1 million in damages and another $1.4 million in refunds to customers for the 2-week downtime. However, despite the damages attributed Cisco ultimately decided not to seek compensation from Ramesh.

Summary of coverage

Cloud Security lessons learned.

Cisco should have disabled Ramesh’s access upon his departure. That he still had access 5 months after departing the company indicates:

  • Cisco was, in 2018, still using IAM Users instead of Federated Identities tied to employee systems
  • Cisco was, in 2018, still issuing IAM Access Keys
  • Cisco was, in 2018, not leveraging any form of CSPM solution or otherwise deactivating unused access keys.