During the week since the digital extortion group Lapsus$ first disclosed that it had breached the Okta identity management platform through one of the company’s sub-processors, customers and organizations in the technology industry have struggled to understand the true impact of the incident. The subprocessor, Sykes Enterprises, which is owned by business services outsourcing company Sitel Group, publicly confirmed last week that it suffered a data breach in January 2022. Now, leaked documents show Sitel’s initial breach notification to customers, which will include Okta, on January 25, as well as a detailed “Timeline of the Breach” from March 17.
The documents raise serious questions about the state of Sitel/Sykes’ defenses before the breach and highlight glaring flaws in Okta’s response to the incident. Sitel declined to comment on the documents, obtained by independent security researcher Bill Demircapi and shared with WIRED.
Okta said in a statement: “We are aware of the public disclosure of what appears to be part of the report prepared by Sitel regarding its incident. … Its content is consistent with the timeline we disclosed regarding the January 2022 Sitel compromise.” The company added: “After receiving this summary report from Sitel on March 17, we had to act faster to understand the implications from him. We are determined to learn and improve after this incident.”
When the Lapsus$ group posted screenshots claiming to have breached Okta on March 21, the company said it had already received Sitel’s March 17 breach report. But after sitting with the report for four days, Okta seemed caught off guard when the hackers made the information public. The company even initially said, “The Okta service was not breached.” WIRED hasn’t seen the full report, but the “timeline of the breach” alone would likely be deeply troubling for a company like Okta, which essentially holds the keys to the kingdom for thousands large organizations. Okta said last week that the “maximum potential impact” of the breach was up to 366 customers.
The timeline, which appears to have been prepared by security researchers at Mandiant or based on data collected by the firm, shows that the Lapsus$ group was able to use extremely well-known and widely available hacking tools, such as the Mimikatz password capture tool, to to run amok through Saitel’s systems. Early on, the attackers were also able to gain enough system privileges to disable security scanning tools that could have flagged the intrusion earlier. The timeline shows the attackers initially compromised Sykes on January 16th and then ramped up their attack on the 19th and 20th until their final entry on the afternoon of the 21st, which the timeline calls “Mission Accomplished.”
“The timing of the attack is disturbingly worrying for the Sitel group,” says Demirkapi. “The attackers did not attempt to maintain operational security at all. They literally scoured the internet on their compromised machines for known malicious tools, downloading them from official sources.
With only the information that Sitel and Okta described as having immediately in late January, it’s also unclear why the two companies don’t appear to have undertaken broader and more urgent responses while the Mandiant investigation continues. Mandiant also declined to comment for this story.
Okta said publicly that it detected suspicious activity on a Sykes employee’s Okta account on January 20 and 21 and shared information with Sitel at that time. Sitel’s January 25th “communication with customers” would be an indication that even more is wrong than Okta previously knew. Sitel’s document describes a “security incident … within our VPN gateways, Thin Kiosks and SRW servers.”
