on monday night digital extortion gang Lapsus$ has been posting a series of increasingly shocking posts on its Telegram channel. First, the group dumped what it claimed was extensive source code from Microsoft’s Bing search engine, Bing Maps and Cortana virtual assistant software. A potential breach at an organization as large and security-conscious as Microsoft would be significant on its own, but the group followed up the post with something even more alarming: screenshots, apparently taken on January 21, that appear to show Lapsus$ controlling an administrative Okta or a “super user” account.
Okta is a near-ubiquitous identity management platform used by thousands of large organizations that want to make it easy—and most importantly, secure—for their employees or partners to sign into multiple services without juggling a dozen passwords. Previous breaches, such as the infamous Twitter debacle in 2020, have resulted from attackers gaining access to an administrative or support account that has the ability to modify customer accounts. Attackers use these system privileges to reset passwords on targeted accounts, change the email address associated with victim accounts, and generally take control. When attacking Twitter accounts, hackers can block legitimate users from tweeting from their accounts. However, when you have this type of access for an identity platform like Okta, the potential impacts are exponentially more extreme.
Lapsus$ has been on a tear since it emerged in December, stealing source code and other valuable data from increasingly prominent companies, including Nvidia, Samsung and Ubisoft, and leaking them in apparent extortion attempts. But researchers had only generally found that attackers appeared to use phishing to compromise their victims. It was not clear how a previously unknown and seemingly amateur group had carried out such monumental data theft. It now appears possible that some of these high-profile breaches stemmed from the Okta Group compromise.
“At the end of January 2022 Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The issue was investigated and managed by the subprocessor,” Okta CEO Todd McKinnon said in a statement. “We believe the screenshots shared online are related to this event in January. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity discovered in January.
Okta did not respond to additional questions from WIRED, including repeated questions about why the company did not publicly disclose the incident earlier.
A Microsoft spokesperson said early Tuesday morning that the company is “aware of the allegations and is investigating.”
Without more information, it’s unclear exactly how much access Lapsus$ had inside Okta or its unnamed “subprocessor.” Dan Tentler, founder of attack simulation and remediation firm Phobos Group, says the screenshots suggest Lapsus$ compromised access to an Okta site reliability engineer, a role that would potentially have broad system privileges as part of the job on infrastructure maintenance and improvement.
“All I have to go on are these screenshots, but there’s a non-zero chance it’s SolarWinds 2.0,” Tentler says, referring to last year’s massive supply chain attack launched by Russian intelligence hackers that compromised numerous high-profile companies and government agencies around the world by first penetrating the SolarWinds IT management platform. “It’s a really big deal.”
