Who’s Behind the Okta Hack?

MC: Yeah. Like, we don’t even call it Okta. We just call it Single Sign-On because that’s the way that it performs for us.

LN: Exactly.

MC: So how many companies are on Okta? Like, how many companies use it?

LN: Okta says they have more than 14,000 customers. So a lot of people, a lot of organizations, a lot of layers of dependency on this. It’s all hinging on this one point.

MC: And now, please tell us what was the hack? What did Lapsus$ do to Okta?

LN: Yeah. So what actually happened is not what Okta would want you to know is not only a direct hack of Okta. Okta, like many companies works with a number of partners to help manage their enterprise, like process data, their contractors basically, and Okta calls them sub-processors. But because a company Okta is so critical and it’s dealing with such sensitive information, but more, it’s such a sensitive mechanism is what I’m trying to say, they don’t have a lot of sub-processors. It’s only about a dozen and they’re all sort of big names, AWS, things like that, who they’re working with. But one of them is actually the organization that was first compromised to get to like a privileged Okta account, right? So it’s sort of like a two step process to get there. And that organization is called Sitel and particularly a division that Sitel acquired called Sykes.

So the hackers targeted an employee within Sykes Sitel who had privileged access to do sort of customer service and deal with Okta clients and data. And they compromised that account. And so in doing so, right? That means even though like a trove of passwords wasn’t directly compromised, you’re getting a lot of privilege, right? A lot of power from that account, because for example, that account was empowered to reset passwords and reset multifactor authentication. So even though you didn’t know what the old password was necessarily, and they’re not just accessing like a plain text list of everybody’s password at 14,000 companies or something like that, the account was giving the attackers the ability to say, OK, well, I don’t care, because I’m just going to set a new password and I’m going to remove this multifactor authentication and set my own multifactor authentication or whatever it is.

And so that is the danger and why this was such a massive revelation because as we’ll talk about, Lapsus$ is also compromised a lot of other big companies, Okta and Sitel are not alone, but there’s sort of this additional significance and this additional potential risk for Sitel and Okta because of Okta’s position within so many other companies.

MC: Yeah. Can you tell us more about Lapsus$? How long have they been around and how do they come to our attention?

LN: The group is very interesting. They have a very chaotic energy. They emerged at least in the form that we now know them in December. And in just a few months, they’ve just been on this rampage, this tear and ramping up and ramping up the size and sort of significance of the organizations they’re targeting. So they started out targeting like media companies, some e-commerce sites, big companies in themselves, it’s not to diminish it. Some in south America, some in the UK, a little bit across Europe, but then just sort of took huge leap at some point to start grabbing data from companies like Nvidia, Samsung, and obviously it’s kept escalating to Okta, but also the same day that they announced or sort of leaked screenshots indicating that they had this sort of compromise of Okta of some sort, they also started dumping source code stolen from Microsoft related to Bing, Bing Maps and Cortana.


Leave a Reply