In Week since the Lapsus$ digital extortion group first revealed that they have breach of identity management platform Okta Through one of the company’s subprocessors, technology industry customers and organizations have try to understand actual impact of the incident. The subprocessor, Sykes Enterprises, owned by business services outsourcing company Sitel Group, publicly confirmed last week that it suffered a data breach in January 2022. Now, the documents The leak shows Sitel’s initial breach notice to customers, including Okta, on January 25, as well as a detailed “Schedule of Intrusion” on March 17.
The documents raise serious questions about Sitel/Sykes’ security defenses prior to the breach, and they highlight glaring gaps in Okta’s response to the incident. Okta and Sitel both declined to comment on documents obtained by independent security researcher Bill Demirkapi and shared with WIRED.
When the Lapsus$ team released screenshots claiming that they had compromised Okta on March 21, the company speak that they received Sitel’s breach report on March 17. But after sitting with the report for four days, Okta was apparently caught as soon as the hacker made the information public. Even the original company speak, “The Okta Service was not violated.” WIRED hasn’t seen the full report yet, but “Timeline of Intrusion” alone would probably be deeply alarming for a company like Okta, which essentially holds the keys to the kingdom for thousands of organizations great. Okta said last week that the “maximum potential impact” of the breach reached 366 customers.
The timeline, apparently created by security investigators at Mandiant or based on data collected by the company, shows that the Lapsus$ team was able to use extremely well-known and readily available hacking tools. spacious, like Mimikatz password recovery tool, to traverse Sitel’s systems. In the first place, attackers may also have enough system privileges to disable security scanning tools that might have flagged the intrusion earlier. The timeline shows that the attackers initially entered Sykes on January 16th and then intensified their attacks throughout the 19th and 20th until the last login on the afternoon of the 21st, the timeline is called “Complete mission”.
Demirkapi said: “The progress of the attack is worrying for the Sitel team. “The attackers made no attempt to maintain operational security. They literally searched the internet on compromised machines for known malicious tools, downloading them from official sources. “
However, with only the information that Sitel and Okta have described as being available as soon as the end of January, it is not clear why the two companies do not appear to be issuing more urgent and widespread responses during the investigation. Mandiant’s investigation is ongoing. Mandiant also declined to comment for this story.
Okta has said publicly that it detected suspicious activity on Sykes employees’ Okta accounts on January 20 and 21 and shared the information with Sitel at the time. Sitel’s “communication with customers” on January 25 seems to be an indication that things are much worse than what Okta previously knew. The site documentation describes “a security issue … in our VPN gateways, Thin Kiosk, and SRW servers.”
