New report on Okta hack reveals entire LAPSUS $Attack episode

An independent security researcher has shared a detailed schedule of events that unfolded when the infamous LAPSUS$ extortion gang broke into a third-party vendor involved in the cyber incident at Okta by the end of January 2022.

In a set of screenshots posted on Twitter, Bill Demirkapi published a two-page “intrusion timeline” attributed to Mandiant, the company network security hired by Sitel to investigate security breaches. Sitel, through its September 2021 acquisition of Sykes Enterprises, is a third-party service provider providing customer support on behalf of Okta.

The authentication provider revealed last week that on January 20th, they were alerted to a new factor that had been added to the Sitel customer support engineer’s Okta account, an effort that they are deemed successful and blocked.

The case only came to light two months later after LAPSUS$ posted a screenshot on the channel Telegram theirs as evidence of the breach on March 22.

The malicious activities, which allowed the attackers access to nearly 366 Okta customers, occurred over a 5-day period from January 16 to January 21, during which hackers performed different stages of the call. attacks, including privilege escalation after initial footing, persistence, traversing, and intranet reconnaissance.

Okta stated that they shared the compromise indicators with Sitel on January 21st and that they received the incident summary report from Sitel only on March 17th. Then on March 22nd. , the same day the crime group shared a screenshot. obtain a copy of the complete investigation report.

Then, on March 22, the same day the criminal group shared the screenshot, it obtained a copy of the complete investigative report.

“Even when Okta received Mandiant’s report in March detailing the attack clearly, they continued to ignore clear signs that their environment had been compromised until LAPSUS$ illuminate their inaction,” Demirkapi wrote in a tweet.

The San Francisco-based company, in a detailed FAQ posted on March 25, admitted that it was a “mistake” to fail to notify users of the breach in January.

“Based on the evidence we’ve gathered over the last week, it’s clear that we would make a different decision if we had all the facts we have today,” Okta said. There is more positive and engaging information from Sitel. “

For its part, Sitel said it is “cooperating with law enforcement” on the incident and has clarified that the breach only affected “part of the old Sykes network,” adding it “acted quickly.” quickly to prevent attack and notify and protect any potentially affected customers already served by the legacy organization. “

The development comes as the City of London Police told The Hacker News last week that seven people linked to the LAPSUS$ gang had been arrested and subsequently released for investigation. “Our inquiries are still ongoing,” the agency added.

.