Details continue to emerge regarding the Lapsus$ breach of Okta systems and the impact of the incident on Okta customers and the broader security community. On March 21, 2022, the Lapsus$ cyber threat group posted screenshots on their Telegram channel demonstrating that the group had gained superuser access to Okta systems and access to Okta internal Slack and Jira platforms.
Okta Statement and Timeline
In a series of public statements, Okta said that the initial breach in January 2022 involved a failed attempt to add multi-factor authentication (MFA) to a security engineer’s account, who was contracted to Okta through Sitel. The account’s access was reportedly terminated, and Sitel initiated a forensic investigation, which resulted in a report delivered to Okta on March 17, 2022.
The screenshots were shared on March 21, 2022, and Okta announced on March 22, 2022 that approximately 2.5% of their customers were affected by the breach. On a public call held on March 23, 2022, Okta said that 366 customer accounts were potentially compromised in the breach, a more specific number than the previously announced 2.5% statistic.
In addition to evolving public statements and privately contacting affected customers, Okta also held a series of public calls to provide information on their response to the incident. In addition to the official updates from Okta, some major cybersecurity firms, such as Cloudflare, have released independent public assessments detailing the impact of the breach on their operations. Cloudflare noted that they use Okta services for their authentication stack and determined they have not been compromised as a result of the incident. Cloudflare advised organizations to reach out to Okta for more information on the breach if they are affected and to take mitigation measures such as enabling MFA, conducting internal investigations, and implementing layered security.
Based on a review of Lapsus$ communications, the depth of the breach is likely more serious than indicated publicly to date. Screenshots posted by the threat actor demonstrate significant privileges, including superuser access and the ability to reset user credentials. This is a severe security concern for Okta customers impacted by the incident.
In a worst-case scenario, the incident constitutes a supply chain compromise that could allow threat actors to infiltrate multiple organizations through account takeovers. Okta’s services involve identity management for organizations and typically act as a layer of security, which means that the compromise of the service can allow a level of access to secondary targets that would normally be exponentially harder to achieve. Dan Tentler of the Phobos Group publicly stated that the breach has a possibility of being “SolarWinds 2.0,” which helps demonstrate the criticality of the incident to the security community.
Given the high level of privileges demonstrated in communications from Lapsus$ and the known sophistication of TTPs used by the group, this breach has the potential to create a critical attack vector for any organizations using the service.
Okta has publicly stated that they are contacting affected organizations directly, but it is advisable for organizations to conduct their own reviews to determine their level of exposure. RH-ISAC members using Okta services should remain particularly vigilant and proactive in their security posture. The Lapsus$ group has an established and recent history of compromising organizations in the retail industry. As a financially motivated group, the hospitality and transportation sectors also make high-value targets.
The group uses both socially and technically proficient tactics, is professional and organized in operation, and is well-resourced. The Okta and Microsoft breaches announced this week are unlikely to be the last attacks claimed by the group in the first half of 2022, and the group should be high on all cyber defense teams’ awareness in the coming months.
The news of the Okta breach comes amid an ongoing spree by the Lapsus$, on which the RH-ISAC has been providing regular updates in the Member Exchange. Since the beginning of 2022, the group has claimed cyberattacks on Nvidia, Samsung, LG, Mercado Libre, Ubisoft, and Microsoft. Though initially labeled a ransomware group by the security community, the ongoing spree has involved data exfiltration and leaks, source code theft, paid insiders, MFA abuse, and account takeovers.
To access additional intelligence about this incident, learn more about RH-ISAC membership.