Under Attack? Contact Us Start a Free Demo

How Lapsus$ Breached Okta and its Customers? | OKTA Lapsus$ Hack Explained!

Authored by Morgan Fitzgerald & Co-Authored by Inno Eroraha, Founder & Chief Strategist, NetSecurity Corporation

This is a detailed report on the OKTA Lapsus$ hack in January 2022, which has shaken the cyber security community. Continue to read till the end if you want to know how Lapsus$ hackers breached OKTA Networks and its customers, and how the companies responded to the hack along with the timeline of the breach.

What is OKTA?

Okta is one of the top identity and authentication platforms that provide services like SSO, Multi-factor Authentication, Lifecycle Management, etc. Thousands of businesses and governments worldwide utilize Okta as a single sign-on provider, allowing employees to securely access internal services like email, calendars, and apps.

What is Lapsus$?

'Lapsus$,' a cyber hacking group from South America with a solid social media presence on Telegram, is in the spotlight following a number of high-profile attacks. Its victims include Okta, NVIDIA, Samsung, and even Microsoft. What makes Lapsus$ notable is its exclusive focus on data theft, extraction, and extortion.

How Did OKTA Identify the Breach?

Lapsus$ hacking group tweeted pictures of Okta's internal systems, Jira bug ticketing system, and the company’s Slack on Twitter and Telegram on January 21, 2022, claiming access to Okta’s internal networks and confirming the breach.

vx-underground tweeted some of the screenshots related to Okta’s internal applications, which were actually posted by Lapsus$ hackers. Similar screenshots were also published by an independent security researcher Bill Demirkapi, in his tweet on March 21, 2022.

Lapsus$ Message on Telegram Confirming the Okta's Breach
Lapsus$ Message on Telegram Confirming the Okta's Breach
Lapsus$ Message on Telegram Confirming the Okta's Breach
Lapsus$ Message on Telegram Confirming the Okta's Breach
vx-underground Tweet - Okta's Images Leaked by Lapsus$
Bill Demirkapi Tweet - Okta's Images Leaked by Lapsus$

Customers learned about Okta's security breach in January on March 22. Okta acknowledged the breach in a blog post, confirming that 366 of its business clients were compromised, or around 2.5 percent of its total customer base. In the blog post, Okta’s Chief Security Officer, David Bradbury, stated that “Okta Security received an alert that a new factor was added to a Sitel employee’s Okta account from a new location. The target did not accept an MFA challenge, preventing access to the Okta account.”

How did Lapsus$ Breach/Hack Happen? – Sitel Intrusion Timeline

Lapsus$ hackers first intruded on Sitel, a customer of Okta. As the first incident was reported by Sitel, its intrusion analysis was performed by Mandiant and the report copy was publicly tweeted by an independent researcher Bill Demirkapi.

Mandiant's Report - Lapsus$ Intrusion Tactics, Techniques and Timeline on Sitel
Mandiant's Report - Lapsus$ Intrusion Tactics, Techniques, and Timeline on Sitel - Part 1
Mandiant's Report - Lapsus$ Intrusion Tactics, Techniques and Timeline on Sitel - Part 2
Bill Demirkapi Tweet - Mandiant Report
  • According to the intrusion timeline, the initial compromise started on 16 Jan 2022 with a first login event from an internal user account followed by an RDP login activity [T1021.001].
  • Later, the attacker performed a bing search to download privilege escalation tools from GitHub and downloaded UserProfileSvcEop[.]exe tool. The hacker was successful in accessing an account on the machine.
  • In addition, the attacker also leveraged various hacking tools like process explorer, process hacker, mimikatz, etc., to establish the foothold at this stage and leveraged cloud applications like Pastebin to upload the accessed SAM file.
  • The attacker achieved lateral movement through RDP sessions. Using the SAM file credentials, the first malicious logon took place on 20 January 2022 from a Sykes[.]com user account to O365.
  • Upon Logon, the attacker accessed a crucial file named DomAdmins-LastPass.xlsx, which indicates an excel sheet with a list of domain administrators and their passwords.  
  • And by adding the account to the TenantAdmin group, which has broad access to the organization, likely to create a “backdoor” account to Sitel’s network that the hackers could use if they were later discovered and locked out.  
  • And incorporating the email transport rule malicious email to BCC all emails to compromised Sykes account.

It is understood from Okta’s official timeline of events that the Lapsus$ hackers were compromising Okta’s network at around the same time when the Sitel/Sykes hack had taken place.

Bill Demirkapi Tweet - RDP Connections and other activities performed by Lapsus$

How Did Okta Respond to the Lapsus$ Breach?

On March 22, Okta Chief Todd McKinnon, in his tweet, has admitted that a security incident occurred in January. His exact tweet says, “In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

Okta Chief Todd McKinnon Official tweet

The company has been criticized for failing to inform customers sooner about the Sitel breach following its receipt of the report from Mandiant dated March 17.

Okta’s Official Timeline of Events:

  • January 20, 2022, 23:18 - Okta Security received an alert that a new factor was added to a Sitel employee’s Okta account from a new location. The target did not accept an MFA challenge, preventing access to the Okta account.
  • January 20, 2022, at 23:46 - Okta Security investigated the alert and escalated it to a security incident.
  • January 21, 2022, at 00:18 - The Okta Service Desk was added to the incident to assist with containing the user’s account.
  • January 21, 2022, at 00:28 - The Okta Service Desk terminated the user’s Okta sessions and suspended the account until the root cause of suspicious activity could be identified and remediated.
  • January 21, 2022, at 18:00 - Okta Security shared indicators of compromise with Sitel. Sitel informed us that they retained outside support from a leading forensic firm.
  • January 21, 2022, to March 10, 2022 - The forensic firm’s investigation and analysis of the incident was conducted until February 28, 2022, with its report to Sitel dated March 10, 2022.
  • March 17, 2022 - Okta received a summary report about the incident from Sitel
  • March 22, 2022, at 03:30 - Screenshots shared online by LAPSUS$
  • March 22, 2022, at 05:00 - Okta Security determined that the screenshots were related to the January incident at Sitel
  • March 22, 2022, at 12:27 - Okta received the complete investigation report from Sitel

Okta chief security officer David Bradbury said the company “should have moved more swiftly to understand its implications.”

How to Detect Ransomware and Advanced Persistence Threats (APTs)?.

Cyber security threats are rapidly increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR) security solution in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.


Disclaimer

The page's content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content "as is" or "modified" shall be considered illegal subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).

Author image
Dulles, Virginia Website
Morgan is an experienced and certified cyber security specialist with expertise in security operations, threat detection and response, forensic investigations, threat intelligence, and threat hunting.
You've successfully subscribed to NetSecurity Blog
Great! Next, complete checkout for full access to NetSecurity Blog
Welcome back! You've successfully signed in.
Unable to sign you in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.