In the week Ever since the digital extortion group Lapsus$ first revealed it had breached its identity management platform Okta through one of the company’s subprocessors, customers and organizations in the tech industry have struggled to understand the true impact of the incident. The sub-processor, Sykes Enterprises, which is owned by business services outsourcing company Sitel Group, publicly confirmed last week that it suffered a data breach in January 2022. Now, leaked documents reveal Sitel’s first breach notification to customers, including Okta, on Jan. 25, as well as a detailed “Intrusion Timeline” from March 17.
The documents raise serious questions about the state of Sitel/Sykes’ security prior to the breach, and highlight obvious gaps in Okta’s response to the incident. Okta and Sitel both declined to comment on the documents, which were obtained by independent security researcher Bill Demirkapi and shared with WIRED.
When the Lapsus$ group posted screenshots alleging violations of Okta on March 21, the company said it had already received Sitel’s report on March 17. the hackers made the information public. In fact, the company initially said, “The Okta service has not been breached.” WIRED has not seen the full report, but the “Intrusion Timeline” alone would presumably be highly alarming for a company like Okta, which essentially holds the keys of the kingdom to thousands of large organizations. Okta said last week that the “maximum potential impact” of the breach reaches 366 customers.
The timeline, which was apparently compiled by Mandiant security researchers or based on data collected by the company, shows that the Lapsus$ group was able to use well-known and widely available hacking tools, such as the password grabber Mimikatz, to to rage. through Sitel’s systems. In the beginning, the attackers were also able to obtain sufficient system privileges to disable security scanning tools that may have spotted the intrusion earlier. The timeline shows that attackers initially compromised Sykes on January 16 and then ramped up their attack throughout the 19th and 20th until their final login on the afternoon of the 21st, which the timeline calls “Mission Complete”.
“The timeline of the attack is embarrassingly concerning for the Sitel group,” said Demirkapi. “The attackers didn’t do much to maintain operational security. They literally searched the internet on their compromised machines for known malicious tools, and downloaded them from official sources.”
With only the information that Sitel and Okta described in late January, it’s also unclear why the two companies did not receive more comprehensive and urgent responses while Mandiant’s investigation was underway. Mandiant also declined to comment on this story.
Okta has publicly said it detected suspicious activity on a Sykes employee’s Okta account on January 20-21 and shared information with Sitel at the time. Sitel’s “Customer Communications” on Jan. 25 would have seemingly indicated that there was even more wrong than Okta previously knew. The Sitel document describes “a security incident … within our VPN gateways, Thin Kiosks and SRW servers.”