Analysing Okta cyber attack and what you should do if your business has been affected
Organisations that use Okta to provide access to their networks have been affected by a cyberattack conducted by the hacking group Lapsus$. Okta said that in a worst-case scenario, 366 of its clients had been compromised and their “data may have been viewed or acted upon”. Following news of the Okta cyber attack, shares dropped by 9% while reputational damage continues to swirl.
Okta has more than 15,000 clients worldwide – including FedEx and Thanet District Council, in Kent. It provides cloud software that helps companies secure and manage user authentication into applications, and for developers to build identity controls into website web services, applications and devices.
News of yet another serious cyber incident affecting a critical third-party supplier only underlines the importance of ensuring your business is safe and secure. Here we take a closer look at the recent Okta cyber attack and provide recommendations for businesses to mitigate third-party supply chain risk.
The hackers – Lapsus$ group
Organised hacking group Lapsus$ is behind the attack. The ransomware group is based in South America and has been linked to cyberattacks on other high-profile organisations. The gang’s modus operandi is to extort companies by threatening to release sensitive information unless a ransom is paid.
On March 21, 2022, Lapsus$ hacked into an administrative account for Okta, the identity management platform. Thousands of businesses worldwide use the Okta identity management platform to govern employee access to devices or applications. A breach of this kind represents a significant risk to Okta’s customers and the wider supply chain.
Microsoft has also admitted that its system was infiltrated, but the impact was limited. In a post on the Microsoft Security blog, the company revealed that Lapsus$ gained limited access to its systems using a single compromised account.
Okta cyber attack – company response
Okta has so far issued several statements describing the cyberattack and its impact on customers. The company has stated that the initial incident took place between January 16-21, 2022. On March 22, Okta revealed that it “detected an attempt to compromise the account of a third-party customer support engineer working for one of our sub-processors.” This indicates that Okta was itself the victim of a third-party incident.
David Bradbury, Chief Security Officer at Okta, revealed a number of screenshots were published online that were taken from a computer used by one of Okta’s third-party customer support engineers. “The sharing of these screenshots is embarrassing for myself and the whole Okta team,” he said. “I am confident in our conclusions that the Okta service has not been breached.”
Okta’s investigation of the January 2022 compromise states that its engineers have limited access and permissions, which would reduce the likelihood of an attacker breaching the Okta system itself. Okta is currently conducting further investigations by reaching out to customers who may have been compromised. The company estimates that the maximum potential impact will affect only 2.5% of its customers.
What should businesses do now?
Supply chain attacks are on the rise. Serious cyber incidents that affect critical third-party suppliers can cause widespread and long-lasting damage to organisations right around the world. In light of the role that Okta plays within an organisation’s network, businesses are rightfully concerned about the possible implications an event like this can have on their own security posture.
“The Okta cyber attack only amplifies the importance of ensuring strong cybersecurity standards across your entire supply chain,” said RiskXchange CEO Darren Craig. “As supply chains evolve, they become more complex and so must the security measures used to safeguard them. Your business is an important part of the chain so you must ensure that it is protected at all costs.”
Darren Craig, RiskXchange
RiskXchange suggests the following steps:
Step 1: If you are an Okta customer, contact them immediately to determine whether your organisation has been affected by the Lapsus$ breach.
Step 2: All Okta customers must search their Okta logs for any unusual activity, such as user impersonation, multi-factor authentication resets or password changes.
Step 3: Okta customers should search applications using Okta for authentication for any unusual activity, multi-factor resets or password changes. Conduct a full search, but focus this on dates between January 16 and 21, 2022. It is also important to look for any other signs of intrusion or breach to determine whether the hackers were able to penetrate your organisation’s network or system.
Step 4: All organisations must identify potential exposure to Okta within their supply chain. RiskXchange’s risk monitoring platform can help with this by providing businesses with full visibility over its eco-systems’ entire attack surface in real-time. This means you can regularly monitor and mitigate risks to prevent unnecessary exposures. RiskXchange’s passive data collection methods are effective and have no impact on your network performance.
Get in touch with RiskXchange to find out more about the Okta cyber attack and how you can stop supply chain attacks in their tracks.