New Report on Okta Hack Reveals the Entire Episode LAPSUS$ Attack

An independent security researcher has shared what’s a detailed timeline of events that transpired as the notorious LAPSUS$ extortion gang broke into a third-party provider linked to the cyber incident at Okta in late January 2022.

In a set of screenshots posted on Twitter, Bill Demirkapi published a two-page “intrusion timeline” allegedly prepared by Mandiant, the cybersecurity firm hired by Sitel to investigate the security breach. Sitel, through its acquisition of Sykes Enterprises in September 2021, is the third-party service provider that provides customer support on behalf of Okta.

The authentication services provider revealed last week that on January 20, it was alerted to a new factor that was added to a Sitel customer support engineer’s Okta account, an attempt that it said was successful and blocked.

The incident only came to light two months later after LAPSUS$ posted screenshots on their Telegram channel as evidence of the breach on March 22.

The malicious activities, which gave the threat actor access to nearly 366 Okta customers, occurred over a five-day window between January 16 and 21, during which the hackers carried out different phases of the attack, including privilege escalation after gaining an initial foothold, maintaining persistence, lateral movement, and internal reconnaissance of the network.

Okta claimed that it had shared indicators of compromise with Sitel on January 21 and that it received a summary report about the incident from Sitel only on March 17. Subsequently, on March 22, the same day the criminal group shared the screenshots, it said it obtained a copy of the complete investigation report.

Subsequently, on March 22, the same day the criminal group shared the screenshots, it obtained a copy of the complete investigation report.

“Even when Okta received the Mandiant report in March explicitly detailing the attack, they continued to ignore the obvious signs that their environment was breached until LAPSUS$ shined a spotlight on their inaction,” Demirkapi wrote in a tweet thread.

The San Francisco-based company, in a detailed FAQ posted on March 25, acknowledged that its failure to notify its users about the breach in January was a “mistake.”

“In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today,” Okta said, adding it “should have more actively and forcefully compelled information from Sitel.”

Sitel, for its part, said it’s “cooperating with law enforcement” on the incident and has clarified that the breach affected “a portion of the legacy Sykes network only,” adding it “took swift action to contain the attack and to notify and protect any potentially impacted clients who were serviced by the legacy organization.”

The development comes as the City of London Police told The Hacker News last week that seven people connected to the LAPSUS$ gang were arrested and subsequently released under investigation. “Our enquiries remain ongoing,” the agency added.