Okta says document ‘appears to be’ part of report on Lapsus$ breach

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – August 3. Join AI and data leaders for insightful talks and exciting networking opportunities. Learn More

Okta has said that a purportedly leaked timeline for the Lapsus$ breach in January, which may have impacted up to 366 Okta customers, “appears to be” part of the report on the incident.

During the January 16-21 breach, the hacker group Lapsus$ accessed a support engineer’s system at Sitel, a third-party Okta service provider, according to Okta.

On Twitter Monday, independent security researcher Bill Demirkapi posted a two-page “intrusion timeline” for the incident.

In the wake of the January breach, Sitel hired a cyber forensic firm to investigate the incident. Demirkapi identified the forensic firm as Mandiant.

In response to a VentureBeat inquiry about Demirkapi’s post, Okta did not dispute the authenticity of the documents.

“We are aware of the public disclosure of what appears to be a portion of a report Sitel prepared regarding its incident,” Okta said in a statement provided to VentureBeat on Monday.

The content of the documents is “consistent” with the timeframe for the breach previously disclosed by Okta, the company said.

Mandiant declined to comment, and Sitel did not respond to a request for comment.

The January breach was only disclosed by Okta last Tuesday, after Lapsus$ posted screenshots on Telegram as evidence of the breach.

Okta said it had received a summary report about the incident from Sitel on March 17.

“Okta is fiercely committed to our customers’ security,” the company said in its statement to VentureBeat on Monday. “Once we received this summary report from Sitel on March 17, we should have moved more swiftly to understand its implications. We are determined to learn from and improve following this incident.”

New details

The Mandiant timeline shared by Demirkapi starts on January 16, with the initial compromise of Sitel.

The detailed timeline posted previously by Okta starts on January 20, and does not include any details about what happened prior to that point.

Okta has indicated that it was unable to provide details about the incident prior to January 20 — when the company first became aware of the attack — because it did not have any evidence for the hacker group’s activities until the January 20 alert.

The document shared by Demirkapi follows the threat actor’s activities from initial compromise, to privilege escalation, to lateral movement and internal recon, to establishing a foothold in the system. The document indicates that the attacker achieved a “complete mission” on January 21.

On Friday, Okta released an apology for its handling of the January breach. The identity security vendor “made a mistake” in its response to the incident, and “should have more actively and forcefully compelled information” about what occurred in the breach, the company said.

The apology followed a debate in the cybersecurity community over Okta’s lack of disclosure for the two-month-old incident. The Okta statement on Friday stopped short of saying that the company believes it should have disclosed what it knew sooner.

However, Okta has said that the support engineers at Sitel have “limited” access, and that third-party support engineers cannot create users, delete users or download databases belonging to customers.

“We are confident in our conclusions that the Okta service has not been breached and there are no corrective actions that need to be taken by our customers,” Okta said on Friday. “We are confident in this conclusion because Sitel (and therefore the threat actor who only had the access that Sitel had) was unable to create or delete users, or download customer databases.”

Originally appeared on: TheSpuzz