In the week since the digital extortion group Lapsus$ first revealed that it had breached the identity management platform Okta through one of the company's subprocessors, customers and organizations across the tech industry have been scrambling to understand the true impact of the incident. The subprocessor, Sykes Enterprises, which is owned by the business services outsourcing company Sitel Group, confirmed publicly last week that it suffered a data breach in January 2022. Now, leaked documents show Sitel's initial breach notification to customers, which would include Okta, on January 25, as well as a detailed “Intrusion Timeline” dated March 17.
The documents raise serious questions about the state of Sitel/Sykes' security defenses prior to the breach, and they highlight apparent gaps in Okta's response to the incident. Sitel declined to comment about the documents, which were obtained by independent security researcher Bill Demirkapi and shared with WIRED.
Okta said in a statement, “We are aware of the public disclosure of what appears to be a portion of a report Sitel prepared regarding its incident. … Its content is consistent with the chronology we have disclosed regarding the January 2022 compromise at Sitel.” The company added, "Once we received this summary report from Sitel on March 17, we should have moved more swiftly to understand its implications. We are determined to learn from and improve following this incident."
When the Lapsus$ group published screenshots claiming it had breached Okta on March 21, the company says that it had already received Sitel's breach report on March 17. But after sitting with the report for four days, Okta seemed to be caught flat-footed when the hackers took the information public. The company even initially said, “The Okta service has not been breached.” WIRED has not seen the complete report, but the "Intrusion Timeline" alone would presumably be deeply alarming to a company like Okta, which essentially holds the keys to the kingdom for thousands of major organizations. Okta said last week that the “maximum potential impact” of the breach reaches 366 customers.
The timeline, which was seemingly produced by security investigators at Mandiant or based on data gathered by the firm, shows that the Lapsus$ group was able to use extremely well known and widely available hacking tools, like the password-grabbing tool Mimikatz, to rampage through Sitel's systems. At the outset, the attackers were also able to gain enough system privileges to disable security scanning tools that might have flagged the intrusion sooner. The timeline shows that attackers initially compromised Sykes on January 16 and then ramped up their attack throughout the 19th and 20th until their last login on the afternoon of the 21st, which the timeline calls “Complete Mission.”
“The attack timeline is embarrassingly worrisome for Sitel group,” Demirkapi says. “The attackers did not attempt to maintain operational security much at all. They quite literally searched the internet on their compromised machines for known malicious tooling, downloading them from official sources.”
With just the information Sitel and Okta have described having right away at the end of January, though, it is also unclear why the two companies do not seem to have mounted more expansive and urgent responses while Mandiant's investigation was ongoing. Mandiant also declined to comment for this story.
Okta has said publicly that it detected suspicious activity on a Sykes employee’s Okta account on January 20 and 21 and shared information with Sitel at that time. Sitel's “Customer Communication” on January 25 would have seemingly been an indication that even more was awry than Okta previously knew. The Sitel document describes "a security incident … within our VPN gateways, Thin Kiosks, and SRW servers."
Sitel's notification does, however, seemingly attempt to downplay the severity of the incident. The company wrote at the time (emphasis theirs), "we remain confident that there are no Indicators of Compromise (IoC) and there is still no evidence of malware, ransomware, or endpoint corruption."
The Lapsus$ hackers have been rapidly ramping up their attacks since they came on the scene in December. The group has targeted dozens of organizations in South America, the United Kingdom, Europe, and Asia and stole source code and other sensitive data from companies like Nvidia, Samsung, and Ubisoft. They do not spread ransomware, instead threatening to leak stolen information in apparent extortion attempts. At the end of last week, City of London police arrested seven people, ages 16 to 21, in connection with Lapsus$, but reportedly released all seven without charges. In the meantime, the group's Telegram channel has remained active.
Demirkapi says that the leaked documents are confounding and that both Okta and Sitel need to be more forthcoming about the sequence of events.
“We take our responsibility to protect and secure our customers' information very seriously,” Okta chief security officer David Bradbury wrote last week. “We are deeply committed to transparency and will communicate additional updates when available.”
Updated Tuesday March 19, 2022 at 9:15am ET to include comment from Okta.
- 📩 The latest on tech, science, and more: Get our newsletters!
- The infinite reach of Facebook's man in Washington
- Of course we're living in a simulation
- A big bet to kill the password for good
- How to block spam calls and text messages
- The end of infinite data storage can set you free
- 👁️ Explore AI like never before with our new database
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers
