The company's Talos Intelligence security unit issued a long blog post on Wednesday, providing details of the incident, but not specifying when the actual break-in occurred.
The website Bleeping Computer, which reports on numerous ransomware incidents, said it had been emailed a list of files last week, which were claimed to have been stolen during the attack.
Coincidentally, Cisco's mea culpa came on the same day — 10 August — when the attackers, the Yanluowang ransomware gang, published a list of documents on the dark web which were claimed to belong to Cisco.
"After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimise forensic artifacts, and increase their level of access to systems within the environment," the post said.
"The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.
"We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cyber crime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators."
No ransomware was deployed on Cisco's servers during the attack.
Commenting on the incident, Lior Yaari, chief executive and co-founder of Grip Security, an Israeli cyber security start-up that provides SaaS visibility, governance and data security, said: "This is a great example of attackers stealing a personal credential and using it to penetrate the enterprise. This is probably occurring far more frequently than reported in the news.
"The use of SaaS services is exacerbating this problem and expanding a company’s attack surface because employees do tend to use personal passwords for SaaS used at work.”