Incident Details
| Victimized Company: | Cisco |
| Incident Dates: | 2020-09-24 to 2021-02-10 |
| Disclosure Date: | 2020-09-24 |
| Current Status: | Threat Actor pled guilty. |
Cisco WebEx
In September 2018 a former engineer leveraged AWS credentials, left over from his time of employment, which resulted in the deletion of 456 virtual machines for Cisco’s WebEx Teams application. Cisco cited the outage as costing over $2.4M dollars.
Incident
Details of the Incident
In September of 2018, a former Cisco Engineer deleted 456 Virtual Machines for Cisco’s WebEx.
The official DOJ Press release states Sudhish Kasaba Ramesh is the person behind the incident. Ramesh was a former engineer for Cisco. Ramesh worked as part of the platform team responsible for automation, logging metrics, and learning. He possessed an access key for the WebEx Application that was maintained by AWS Servers.1
Following his resignation from the company, Ramesh deployed code from his Google Project account, resulting in the deletion of 456 Virtual Machines for Cisco’s WebEx Team Application that allows for video meetings, messaging, file sharing, and more. Over 16,000 WebEx Teams accounts were shut down for 2 weeks causing roughly 2.4 million in damages for Cisco. In his plea, Ramesh states that “he took reckless actions and did not consider the possible risk and consequences it would bring to Cisco”.
Timeline
| Date | Event |
|---|---|
| April 24, 2018 | Ramesh resigns from Cisco. |
| September 24, 2018 | Ramesh “used his AWS key to access Cisco’s AWS account that maintained the servers for WebEx through his Google Cloud Platform account. He then issued commands over the course of two hours that deleted approximately 456 servers, resulting in the complete shutdown of the WebEx Teams application.”2 |
| July 13, 2020 | Ramesh is charged with one count of Intentionally Accessing a Protected Computer Without Authorization and Recklessly Causing Damage. |
| July 30, 2020 | Ramesh enters a plea agreement citing his accessing Cisco’s cloud infrastructure hosted on AWS without authorization. |
| August 26, 2020 | Ramesh Pleads guilty to one count of intentionally accessing a protected computer unauthorized and causing damage to Cisco. |
| December 9, 2020 | Ramesh is sentenced following his pleading guilty. |
| February 10, 2021 | Ramesh begins his sentence of 24 months in prison, a fine of 15,000$, and another year of supervision following his release. |
Attribution / Perpetrator
Per the official DOJ press release, former engineer Sudhish Kasaba Ramesh plead guilty to one charge of_ Intentionally Accessing a Protected Computer Without authorization and Recklessly Causing Damage. He was sentenced to 24 months in prison and must pay a fine of $15,000 in December 2020.
The case study also noted that the FBI identified him as the one responsible after seeing his name registered under the Google Platform account and the credit card used to pay for it. Ramesh also used his work laptop at the same IP Address from where the attack was launched._
Long-term impact
Cisco had to pay out $1 million in damages and another $1.4 million in refunds to customers for the 2-week downtime. However, despite the damages attributed Cisco ultimately decided not to seek compensation from Ramesh.
Summary of coverage
- U.S District Court of California San Jose division: Violation and Charges - July 13, 2020
- Threat Post: Cisco Spokesperson Discloses Information on Consumer Data - August 27, 2020
- Department of Justice: Press Release on Ramesh’s Imprisonment - December 9, 2020
- U.S District Court of California San Jose division: Sentencing Memorandum - December 9, 2020
- CDSE: Case Study - October 18, 2022
Cloud Security lessons learned.
Cisco should have disabled Ramesh’s access upon his departure. That he still had access 5 months after departing the company indicates:
- Cisco was, in 2018, still using IAM Users instead of Federated Identities tied to employee systems
- Cisco was, in 2018, still issuing IAM Access Keys
- Cisco was, in 2018, not leveraging any form of CSPM solution or otherwise deactivating unused access keys.