Who’s Behind the Okta Hack?

MC: Yeah. Like, we don’t even call it Okta. We just call it Single Sign-On because that’s the way it performs for us.

LN: Exactly.

MC: So how many companies are on Okta? Like, how many companies use it?

LN: Okta says it has more than 14,000 customers. So a lot of people, a lot of organizations, a lot of layers of dependency on this. It’s all hinging on this one point.

MC: And now, please tell us what was the hack? What did Lapsus$ do to Okta?

LN: So what actually happened is not only a direct hack of Okta. Like many companies, Okta works with a number of partners to help manage its enterprise, like process data, their contractors basically, and Okta calls them subprocessors. But because a company like Okta is so critical, and it’s dealing with such sensitive information—it’s such a sensitive mechanism is what I’m trying to say—they don’t have a lot of subprocessors. It’s only about a dozen, and they’re all sort of big names—AWS, things like that—who they’re working with. But one of them is actually the organization that was first compromised to get to a privileged Okta account. So it’s sort of like a two-step process to get there. And that organization is called Sitel, and particularly a division that Sitel acquired, called Sykes.

So the hackers targeted an employee within Sykes Sitel who had privileged access to do customer service and deal with Okta clients and data. And they compromised that account. And in doing so, that means even though a trove of passwords wasn’t directly compromised, you’re getting a lot of privileges, right? A lot of power from that account, because, for example, that account was empowered to reset passwords and reset multifactor authentication. So even though you didn’t know what the old password was necessarily, and they’re not just accessing like a plaintext list of everybody’s password at 14,000 companies or something like that, the account was giving the attackers the ability to say, “OK, well, I don’t care, because I’m just going to set a new password, and I’m going to remove this multifactor authentication and set my own multifactor authentication” or whatever it is.

And so that is the danger, and why this was such a massive revelation, because as we’ll talk about, Lapsus$ has also compromised a lot of other big companies. Okta and Sitel are not alone, but there’s sort of this additional significance and this additional potential risk for Sitel and Okta because of Okta’s position within so many other companies.

MC: Yeah. Can you tell us more about Lapsus$? How long have they been aroun,d and how did they come to our attention?

LN: The group is very interesting. They have a very chaotic energy. They emerged at least in the form that we now know them in December. And in just a few months, they’ve just been on this rampage, this tear, and ramping up the size and significance of the organizations they’re targeting. So they started out targeting like media companies, some ecommerce sites—big companies in themselves, it’s not to diminish it. Some in South America, some in the UK, a little bit across Europe, but then just sort of took a huge leap at some point to start grabbing data from companies like Nvidia and Samsung, and obviously it’s kept escalating to Okta. But also the same day that they announced or sort of leaked screenshots indicating that they had this sort of compromise of Okta, they also started dumping source code stolen from Microsoft related to Bing, Bing Maps, and Cortana.