On Tuesday, identity and access management firm Okta announced the conclusion of its investigation into a security breach involving a third-party vendor, which occurred in January 2022. The breach, attributed to the notorious LAPSUS$ hacking group, was previously thought to have affected 366 customer tenants. However, after a thorough review, Okta revealed that the actual impact was considerably more limited, affecting only two customer tenants.
In its statement, Okta indicated that the “impact of the incident was significantly less than the maximum potential impact” that had been estimated earlier. The unauthorized access to customer accounts happened on January 21, 2022, when the LAPSUS$ group gained remote access to a workstation utilized by a support engineer from Sitel, a third-party vendor. The breach remained under wraps until nearly two months later, when the group shared images of Okta’s internal systems on their Telegram channel.
During the intrusion, it was confirmed that the attackers accessed two active customer tenants through the SuperUser application, which provides basic account management functionalities. They were also reported to have viewed limited information in other applications like Slack and Jira, which aligns with earlier findings regarding the breach.
David Bradbury, Okta’s Chief Security Officer, detailed that the unauthorized access lasted for 25 minutes on the day of the incident. Crucially, he emphasized that the threat actor was unable to carry out any configuration changes, multi-factor authentication resets, or impersonation of customer support agents during this time. He noted that the attacker was also unable to authenticate to any Okta accounts directly.
Okta has faced scrutiny regarding the timing of its disclosure and its overall handling of the incident. In response, the company has terminated its association with Sitel and made adjustments to its customer support tools to limit the information accessible to technical support engineers.
The security event aligns with tactics and techniques outlined in the MITRE ATT&CK framework, particularly concerning initial access, persistence, and the potential for privilege escalation. These categories highlight the various phases of an attack, showcasing how adversaries may exploit vulnerabilities in third-party systems to gain unauthorized access to sensitive data.
As businesses increasingly rely on third-party vendors, incidents like the Okta breach underscore the importance of maintaining robust security practices and comprehensive risk management strategies. Continuous monitoring and effective incident response planning are essential for safeguarding against cyber threats in an evolving landscape.
