Okta concludes investigation following cyber compromise

Okta, an identity and access management company, has released a comprehensive conclusion of its investigation into a compromise of one of its third-party vendors in January 2022.

Okta’s investigation focused on a five-day window between 16 and 21 January and ultimately found that the adversary had control for just 25 minutes. On 22 March the Lapsus$ hacking group posted on their official Telegram group claiming they had breached the company.

During that time the threat actor accessed two active customer tenants within Okta’s SuperUser application. It viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants.

Notably the threat actor was unable to perform many actions including configuration changes, MFA or password resets or customer support impersonation events.

The threat actor was unable to authenticate directly to any Okta accounts.

“As a result of the thorough investigation of our internal security experts, as well as a globally recognized cyber security firm whom we engaged to produce a forensic report, we are now able to conclude that the impact of the incident was significantly less than the maximum potential impact Okta initially shared on March 22, 2022,” said David Bradbury, CSO at Okta in a 19 April statement.

Strengthening security requirements

As a result of the incident Okta has taken action to strengthen its security posture including regarding its third-party risk management.

This came to light after Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for third-party provider Sitel which provided contract workers for the company’s customer support organization.

During the Lapsus$ attack, an alert was raised by the Okta security team on 20 January to Sitel, which completed its own investigation report and delivered it two months later to Okta on 22 March. Bradbury said he was “greatly disappointed” by this timeframe.
Okta confirmed on 19 April that it has terminated its relationship with Sitel.

In addition, Okta said it is strengthening its audit procedures of its sub-processors and will confirm they comply with new security requirements.

“We will require that sub-processors who provide support services on Okta's behalf adopt ‘Zero Trust’ security architectures and that they authenticate via Okta’s IDAM solution for all workplace applications.”

In a LinkedIn post, Jason Rebholz, CISO at Corvus Insurance noted: “A company of Okta's size (and the contract value for the vendor) can mandate these requirements for a vendor. Smaller companies may struggle to enforce similar requirements but this is a good step in mandating stronger controls for high-risk vendors.”

Okta said it will also now directly manage all devices of third parties that access Okta’s customer support tools. This, the company said, will provide the necessary visibility to effectively respond to security incidents without relying on a third party.