In 2014, Cisco joined the Coordinated Malware Eradication (CME) coalition, where multiple companies cooperate to stop the growing malware threat that all customers are experiencing.  In one case, Cisco researched and published malware and activity that was using a remote access tool (RAT) called ZxShell (also known as Sensocode).

Our public blog posts may be found here:
•              Threat Spotlight: Group 72
•              Threat Spotlight: Group 72, Opening the ZxShell

The Cisco team did the ZxShell technical analysis because Novetta, Inc., who is also part of the CME, began researching a new threat in September 2014, and reached out to other member companies to help.  Novetta asked Cisco to analyze the ZxShell malware only, understand its technical nature and capability only, and publish our results – our technical results are published in the second blog post above.  This was Novetta’s only request.  Novetta referenced our technical results, but they did not ask, nor did we participate, cooperate, or contribute in the researching, identifying, or naming of who developed the malware or deployed the malware.

We are disappointed that the appearance of Cisco’s logo on the cover of the Novetta report may suggest that Cisco endorses all of the report conclusions, including conclusions that China was behind the activity described in the report.  We only endorse our findings about the technical attributes of ZxShell; the rest of Novetta’s report is unrelated to Cisco and the conclusions are their own.

We focus on protecting our customers through technical analysis of the attacks, and creating protections against them.

Cyber-attacks are global and the attacks must be stopped.  Our fundamental security objective is to protect all customers, be transparent, and be their trusted partner.  We hope this clears up any misconceptions.