An independent security researcher has unveiled a detailed timeline concerning the breach orchestrated by the LAPSUS$ extortion group, notably affecting Okta, a provider of authentication services. The breach was linked to a third-party service provider, Sitel, in late January 2022.
Bill Demirkapi shared a two-page “intrusion timeline” on Twitter, suggesting it was compiled by Mandiant, the cybersecurity firm that Sitel engaged to investigate the breach. Sitel, after acquiring Sykes Enterprises in September 2021, manages customer support services for Okta.
On January 20, Okta detected an unauthorized attempt to add a new factor to a Sitel customer support engineer’s account. Although successful initially, the attempt was automatically blocked. It wasn’t until two months later that the situation escalated when LAPSUS$ released screenshots on their Telegram channel on March 22, showcasing evidence of the intrusion.
The breach impacted approximately 366 of Okta’s customers, occurring during a critical five-day period from January 16 to 21. During this timeframe, the adversaries executed multiple attack phases, including initial access, privilege escalation, and lateral movement within the network, aligning with techniques outlined in the MITRE ATT&CK framework.
According to Okta, it shared indicators of compromise with Sitel on January 21 but only received a summary report about the incident on March 17. Following the release of screenshots, Okta obtained a full investigation report on March 22. Demirkapi reported that, despite receiving the Mandiant report detailing the attack, Okta failed to act on evident signs of a breach until the LAPSUS$ group drew public attention to their inaction.
In a subsequent FAQ published on March 25, Okta acknowledged its lapse in notifying users regarding the breach in January. They expressed that had they possessed all relevant facts at the time, their course of action would have differed dramatically.
Sitel clarified its cooperation with law enforcement and stated that the breach affected only a portion of the legacy Sykes network. They asserted immediate measures were taken to contain the attack and protect potentially impacted clients.
Recent reports indicate that the City of London Police arrested and later released seven individuals associated with the LAPSUS$ group, confirming that investigations are ongoing. As businesses face escalating cybersecurity threats, this incident serves as a crucial reminder of the vulnerabilities at play within third-party service providers.
