Published On: Fri, Apr 29th, 2022

Lapsus$ found a spreadsheet of accounts as they breached Okta, papers show

The Lapsus$ hackers used compromised certification to mangle into a network of patron use hulk Sitel in January, days before subsequently accessing a inner systems of authentication hulk Okta, according to papers seen by TechCrunch that yield new sum of a cyber penetration that have not nonetheless been reported.

Customers usually schooled of Okta’s Jan confidence crack on Mar 22 after a Lapsus$ hacking organisation published screenshots divulgence it had accessed Okta’s inner apps and systems some dual months earlier. Okta certified a concede in a blog post, and after reliable 366 of a corporate business are influenced by a breach, or about 2.5% of a patron base.

The papers yield a many minute critique to date of a Sitel compromise, that authorised a hackers to after benefit entrance to Okta’s network.

Okta is used by thousands of organizations and governments worldwide as a singular sign-on provider, permitting employees to firmly entrance a company’s inner systems, such as email accounts, applications, databases and more.

The documents, performed by eccentric confidence researcher Bill Demirkapi and common with TechCrunch, embody a Sitel patron communication sent on Jan 25 — some-more than a week after hackers initial compromised a network — and a minute timeline of a Sitel penetration gathered by occurrence response organisation Mandiant antiquated Mar 17 that was common with Okta.

According to a documents, Sitel pronounced it detected a confidence occurrence in a VPN gateways on a bequest network belonging to Sykes, a patron use association operative for Okta that Sitel acquired in 2021. VPNs, or practical private networks, are mostly a aim for enemy given they can be exploited to remotely entrance a company’s network.

The timeline sum how a enemy used remote entrance services and publicly permitted hacking collection to concede and navigate by Sitel’s network, gaining deeper prominence to a network over a 5 days that Lapsus$ had access. Sitel pronounced that a Azure cloud infrastructure was also compromised by hackers.

According to a timeline, a hackers accessed a spreadsheet on Sitel’s inner network early on Jan 21 called “DomAdmins-LastPass.xlsx.” The filename suggests that a spreadsheet contained passwords for domain director accounts that were exported from a Sitel employee’s LastPass cue manager. Sitel orator Matt Jaffe did not brawl this characterization when reached by TechCrunch before to publication, though instead declined to comment. A day after publication, Sitel pronounced in a matter that a spreadsheet “simply listed critique names from bequest Sykes though did not enclose any passwords,” though did not offer any justification for this claim.

About 5 hours later, a hackers combined a new Sykes user critique and combined a critique to a user organisation called “tenant administrators,” that have extended entrance to a organization, expected to emanate a “backdoor” critique to Sitel’s network that a hackers could use if they were after detected and sealed out. The Lapsus$ hackers were compromising Okta’s network during around a same time, according to Okta’s timeline of events.

The timeline shows that a hackers final accessed Sitel’s network on Jan 21 during 2 p.m. (UTC), around 14 hours after accessing a spreadsheet. Sitel released a company-wide cue reset to try to close out a attackers.

Okta has faced critique for not warning business earlier of a Sitel crack following a receipt of Mandiant’s news antiquated Mar 17. Okta arch confidence officer David Bradbury pronounced a association “should have changed some-more quickly to know a implications.”

Okta was incompetent to critique when reached before to publication. Mandiant also did not brawl a essence of a reports though declined to comment.

Okta is only one of several big-name companies targeted by a Lapsus$ hacking and coercion organisation in new months. The Lapsus$ organisation initial emerged on a hacking stage in Dec after targeting Brazil’s Ministry of Health in a cyberattack that stole 50 terabytes of data, including citizens’ vaccination information. Since then, a squad has targeted several Portuguese-language companies, as good as Big Tech giants including Samsung, Nvidia, Microsoft and Okta, touting a entrance and stolen information to a tens of thousands of subscribers of a Telegram channel, while mostly creation surprising final in sell for not edition their victims’ stolen files,

U.K. military pronounced final week they had arrested 7 people connected to a incidents, all aged between 16 and 21.

Updated title with critique from Sitel’s comment, sent a day after publication.


If we know some-more about a crack or work during Okta or Sitel, get in hold with a confidence table on Signal during +1 646-755-8849 or zack.whittaker@techcrunch.com by email.

About the Author