Cloudflare Exposes Nation-State Cyberattack Targeting Its Infrastructure
Cloudflare has disclosed that it was the target of a sophisticated cyberattack, likely orchestrated by a nation-state actor, who exploited stolen credentials to gain unauthorized access to its Atlassian server. The breach allowed the attacker to access certain documentation and a limited amount of source code belonging to the web infrastructure company.
The intrusion occurred between November 14 and 24, 2023, and was detected on November 23. Cloudflare described the threat actor as methodical, indicating that the attack aimed to secure “persistent and widespread access” to its global network. The company has since taken significant defensive measures, including rotating over 5,000 production credentials, physically segmenting test and staging systems, and conducting forensic analyses on nearly 4,900 systems.
During the four-day reconnaissance phase, the attacker accessed Atlassian Confluence and Jira, subsequently creating a rogue user account to establish persistent access to the Atlassian server. This breach ultimately allowed the adversary to reach the Bitbucket source code management system by utilizing the Sliver adversary simulation framework.
Out of approximately 120 code repositories accessed, 76 are believed to have been exfiltrated. These repositories primarily contained information regarding Cloudflare’s backup procedures, its global network management, and identity framework, including the use of Terraform and Kubernetes. Notably, some of these repositories included encrypted secrets, which were rotated immediately, despite their strong encryption.
The threat actor attempted to access a console server linked to an unreleased data center in São Paulo, Brazil, but this effort was unsuccessful. The attack relied on a single access token along with three service account credentials tied to Amazon Web Services (AWS), Atlassian Bitbucket, Moveworks, and Smartsheet that were compromised during a prior breach of Okta’s support management system in October 2023.
Cloudflare has acknowledged its failure to rotate these credentials, mistakenly assuming they were inactive. Following the incident, the company took swift action to terminate all malicious access points identified as originating from the threat actor and engaged cybersecurity firm CrowdStrike for an independent assessment of the breach.
The only production systems that were compromised were within Cloudflare’s Atlassian environment. Subsequent analyses of the wiki pages, bug databases, and source code repositories accessed by the intruder suggest their intent was to gather intelligence on the architecture, security, and operational management of Cloudflare’s global network.
In the context of the MITRE ATT&CK framework, several tactics and techniques could have been employed during this attack. “Initial access” likely occurred through credential theft, enabling “persistence” via rogue accounts. Furthermore, “reconnaissance” and “credential dumping” would have facilitated the adversary’s ability to navigate Cloudflare’s infrastructure effectively.
As cyber threats continue to evolve, the vulnerabilities exploited in this notable incident underscore the critical need for robust security protocols and vigilant credential management. This breach serves as a reminder for organizations to continuously reevaluate their security posture to mitigate similar risks in the future.
