Okta is investigating an alleged data breach apparently launched by the Lapsus$ hacker group. Okta CEO Todd McKinnon on March 22, 2022, initially downplayed reports about screenshots tied to the alleged incident. Later the same day, Okta Chief Security Officer disclosed that up to 366 customers may be impacted by the attack -- which involved a contractor named Sitel.
In two tweets, McKinnon initially wrote on March 22, 2022:
"In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. (1 of 2)
We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January. (2 of 2)".
The screenshots were posted by Lapsus$ on the group's Telegram channel late on March 21, 2022, Reuters reported. In an accompanying message, the group said its focus was "ONLY on Okta customers," the report indicated.
Okta Cyberattack Timeline Emerges
A more expansive statement from Okta Chief Security Officer David Bradbury disclosed that a hacker had access to a support engineer's laptop during a five-day window in January 2022. Bradbury emphasized that "the Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers."
Bradbury followed up with timely outlining the attack details. Here's the timeline he published:
- January 20, 2022, 23:18 - Okta Security received an alert that a new MFA factor was added to a Sitel employee’s Okta account from a new location.
- January 20, 2022, at 23:46 - Okta Security investigated the alert and escalated it to a security incident.
- January 21, 2022, at 00:18 - The Okta Service Desk was added to the incident to assist with containing the user’s account.
- January 21, 2022, at 00:28 - The Okta Service Desk terminated the user’s Okta sessions and suspended the account until the root cause of suspicious activity could be identified and remediated.
- January 21, 2022, at 18:00 - Okta Security shared indicators of compromise with Sitel. Sitel informed us that they retained outside support from a leading forensic firm.
- January 21, 2022 to March 10, 2022 - The forensic firm’s investigation and analysis of the incident was conducted until February 28, 2022, with its report to Sitel dated March 10, 2022.
- March 17, 2022 - Okta received a summary report about the incident from Sitel
- March 22, 2022, at 03:30 - Screenshots shared online by LAPSUS$
- March 22, 2022, at 05:00 - Okta Security determined that the screenshots were related to the January incident at Sitel
- March 22, 2022, at 12:27 - Okta received the complete investigation report from Sitel
Identity and Access Management (IAM): Under Attack?
Security experts are watching the situation closely. The reason: Okta's identity and access management (IAM) software -- spanning various single sign-on and multi-factor authentication (MFA) software tools -- may permit hackers to launch supply chain attacks that extend to Okta's MSP partners and downstream customers.
More than 15,000 organizations run Okta's software, and the platform supports 7,000 integrations, Okta's website indicates.
Although there are no reports of supply chain attacks against Okta's partner and customer ecosystem, investors appear concerned about the alleged Lapsus$ activity. Indeed, Okta's stock was down roughly 7 percent in pre-market trading on March 22, 2022 -- though shares recovered some of that lost territory during the day.
Alleged Lapsus$ Cyberattack Targets, Victims
Meanwhile, the Lapsus$ hacker group has been very active in recent weeks. The group's alleged victims include Microsoft, Nvidia and Samsung, among many others.
Blog originally published March 22, 2022. Updated thereafter with new information.