Digital identity firm suffers fourth breach in 2022
Identity management software provider Okta has suffered its fourth cyber attack this year, after some of the company’s source code was obtained from a hacked private Github repository earlier this month.
The frequency of attacks on the company reflects the value of the data it holds, rather than any inherent security flaws in the systems, security researchers believe. But as each attack exposes more of Okta’s infrastructure, the likelihood of a large-scale supply chain attack similar to the 2020 Solarwinds breach increases.
How the latest Okta breach happened
Github notified Okta of suspicious activity on the company’s account earlier this month.
A security alert sent out by Okta’s head of security, David Bradbury, and set off Bleeding computer confirmed the incident. “After investigation, we have concluded that such access was used to copy Okta code repositories.”
The attack has so far had limited impact, Okta said. “Our investigation concluded that there was no unauthorized access to the Okta service and no unauthorized access to customer data,” the company said in a statement. “Okta does not rely on the confidentiality of its source code for the security of its services. The Okta service remains fully operational and secure.”
The company says the impact of the breach has been limited to Okta Workforce Identity Cloud code stores, which do not contain customer data. “This event does not affect any other Okta products and we have been in communication with our customers,” Okta’s statement said.
Mis-four melody hits Okta
This is Okta’s fourth cyber security incident in recent months. In September, the Okta-owned authentication service Auth0 suffered a similar attack. Hackers notified Okta that they had a copy of certain Auth0 code stores dating back to October 2020. Again, there was no unauthorized access due to loss of code, Auth0 said at the time.
Also in August, the security company Group-IB released a report on an attack campaign called 0ktapus. This apparently used Okta credentials to target messaging app Signal, which reported at the time that “1,900 of its users’ accounts were likely hacked.” The perpetrators used the Okta data to bypass multi-factor authentication, the report explains.
Content from our partners
Okta’s most high-profile breach came in March, when the company was subjected to a cyber attack by the hacker gang Lapsus$. The gang, who were on a crime spree against Big Tech companies at the time, claimed they had access to Okta’s internal systems by posting images of the systems to the Telegram channel.
Why is Okta such a target for hackers?
Okta’s cloud-based software helps businesses build secure authentication and identity control systems for apps and connected devices. The company reported revenue of $1.3 billion last year and has grown its user base rapidly in recent years, helped by its acquisition of Auth0 earlier this year. It works with over 10,000 organizations, and recently signed an agreement to provide digital identity services to the US military.
The nature of Okta’s work means that it processes a huge amount of valuable data about users, covering personal and professional information it receives, and obtains from third-party sources. This can be very valuable to criminals looking to launch attacks using stolen identities.
This, rather than the security of the company, is likely to be the reason for the frequency of the breaches, argues Raj Samani, senior vice president and chief researcher at the security company Rapid7: “We have to recognize the importance Okta plays in the security of their customers. It is an organization that is likely to face more targeted attacks than most, he said Tech Monitor.
Other factors make Okta an attractive target, says Bharat Mistry, UK and Ireland head of security company Trend Micro.
“If you can hack into Okta and get credentials while you can, that opens the door to a number of different platforms,” he says. “Okta is not only used exclusively in the cloud, it is used elsewhere as well. Anywhere you need identity mediation, Okta is likely to be used.”
What will be the consequences of such an attack?
This type of access to so many different organizations has the potential to lead to a supply chain attack, similar to the one that hit managed services provider Solarwinds. On that occasion, hackers who breached MSP’s system were able to gain access to customers, which included the US government.
“Such an attack [on Okta] can be more than Solarwinds,” argues Mistry. “Not everyone uses Solarwinds as it is not quite enterprise grade in the same way. But with Okta’s reach, the consequences can be devastating. Identity is at the heart of everything, and Okta is prominent in the space.”
With this in mind, the continued breaches the company suffers may be in part intelligence missions, says Hanah (correct spelling) Darley, head of threat research at security firm Darktrace.
“Multiple breaches affecting the same organization, as is the case with Okta, can be an indicator that a threat actor is using information or credentials stolen in one breach to regain access via another route,” says Darley. “A hacker having access to the source code, even if it is subsequently modified, means they can study the core logic of the code and gain insight into the operation of an organization’s backend infrastructure.”
Understanding a company’s underlying systems is critical to staging a supply chain attack, Mistry adds. “If you understand how Okta does some of these things, understand what the mechanics are behind it, typically around things like encryption, you understand how it can be broken and you can actually start targeting those loopholes,” he says. “This attraction is there not only for ordinary cybercriminals, but also for their nation-state hackers as well.”
