"Evil Corp and Conti Linked to Cisco Data Breach, eSentire Suggests"

A new report by eSentire has connected the data breach affecting Cisco Talos systems in May with an Evil Corp-affiliate group.  More specifically, eSentire's Threat Response Unit (TRU) discovered that the IT infrastructure used to attack Cisco was also deployed in an attempted compromise of one of its clients in April 2022.  Researchers at eSentire believe that a hacker who uses the alias, mx1r, is the cybercriminal behind the attack.  According to security company Mandiant the threat actor known as mx1r would be a member of an Evil Corp affiliate group called UNC2165.  Initially, in May, Cisco attributed their breach to a threat actor with ties to the Lapsus$ threat group, the Yanluowang ransomware operators, and a group that Mandiant calls UNC2447.  Researchers at eSentire stated that while the tactics, techniques, and procedures (TTPs) of the attack against Cisco matched those of Evil Corp, the infrastructure used matched that of a Conti ransomware affiliate, which has been seen deploying both Hive and Yanluowang ransomware payloads.  The researchers noted that after looking at various technical details of the malicious infrastructure leveraged, they found a handful of additional instances of Cobalt Strike infrastructure.  eSentire's TRU tracks this infrastructure cluster as HiveStrike.  According to researchers, HiveStrike also bears some similarities to the ShadowStrike infrastructure reported by TRU earlier this year with affiliations to Conti.  The researchers stated that it seems unlikely, but is not impossible, that Conti would lend its infrastructure to Evil Corp.  

Infosecurity reports: "Evil Corp and Conti Linked to Cisco Data Breach, eSentire Suggests"