On Monday evening, the Lapsus$ digital extortion gang published a series of increasingly shocking posts in its Telegram channel. First, the group dumped what it claims is extensive source code from Microsoft’s Bing search engineBing Maps, and Cortana virtual assistant software. A potential breach of an organization as big and security-conscious as Microsoft would be significant in itself, but the group followed the post with something even more alarming: screenshots apparently taken on January 21 that seem to show Lapsus$ in control of an Okta administrative or “super user” account.
Okta is a near-ubiquitous identity management platform used by thousands of large organizations that want to make it easy—and, crucially, secure—for their employees or partners to log in to multiple services without juggling a dozen passwords. Past breaches, like 2020’s notorious Twitter meltdownhave stemmed from attackers taking over access to an administrative or support account that has the ability to modify customers’ accounts. Attackers use these system privileges to reset target account passwords, change the email address linked to victim accounts, and generally take control. When they’re attacking Twitter accounts, hackers can lock legitimate users out and tweet from their profiles. When you have this type of access for an identity platform like Okta, though, the potential impacts are exponentially more extreme.
Lapsus$ has been on a tear since it emerged in December, stealing source code and other valuable data from increasingly prominent companies, including Nvidia, Samsung, and Ubisoft, and leaking it in apparent extortion attempts. But researchers had only found broadly that the attackers seemed to be using phishing to compromise their victims. It wasn’t clear how a previously unknown and seemingly amateur group had pulled off such monumental data heists. Now it seems possible that some of those high-profile breaches stemmed from the group’s Okta compromise.
“In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor,” Okta CEO Todd McKinnon said in a statement. “We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”
Okta did not answer further questions from WIRED, including repeated queries about why the company didn’t publicly disclose the incident before.
A Microsoft spokesperson said early Tuesday morning that the company is “aware of the claims and investigating.”
Without more information, it is unclear exactly how much access Lapsus$ had within Okta or its unnamed “subprocessor.” Dan Tentler, a founder of the attack simulation and remediation firm Phobos Group, says the screenshots suggest Lapsus$ compromised the access of an Okta site reliability engineer, a role that would potentially have extensive system privileges as part of infrastructure maintenance and improvement work.
“All I have to go on are these screenshots, but there is a nonzero possibility of this being a SolarWinds 2.0,” Tentler says, referencing last year’s massive supply chain attack launched by Russian intelligence hackers that compromised a slew of high-profile companies and government agencies around the world by first infiltrating the IT management platform SolarWinds. “It is indeed quite a big deal.”