LAPSUS$ managed to infiltrate Okta’s corporate network using a spreadsheet of stolen passwords. Through this document, the hackers were able to gain access to the internal systems of Sitel, an outside company that handles customer service for Okta. They managed to break into Okta through the company’s VPN service.
Okta confirms cyber attack by LAPSUS$
LAPSUS$, also known as DEV-0537, is a hacker group that carries out cyberattacks on South American countries. Initially, the group’s members targeted targets in the United Kingdom and Latin America. In recent weeks, several international tech companies have been attacked by the hacker collective. Then you have to think of NVIDIA, Samsung, and Microsoft.
Another company recently hit by LAPSUS$ is Okta. The company develops authentication software for customers around the world. Customers of Okta include Amazon and Apple. To back up their claims, the attackers posted screenshots to their Telegram account. Moments later, Okta acknowledged via a press release that LAPSUS$ had indeed attacked the company. In their own words, the perpetrators managed to steal data from 2.5 percent of Okta’s customers.
This is how LAPSUS$ managed to penetrate Okta’s network
How the hackers managed to infiltrate Okta’s network has never been revealed until today. Cybersecurity expert Bill Demirkapi knows how the hacker group managed to break into the company’s network. To explain it, he has drawn up a timeline.
An important date that we find there is Friday 21 January. That day, the hackers managed to break into Sitel’s internal network. Sitel is a company that provides customer service for Okta. Once inside, the attackers used hacking tools to break through Sitel’s network. Thus, the perpetrators found a document called ‘DomAdmins-LastPass.xlsx’. According to TechCrunch, that’s an export document from a LastPass user who works at Sitel.
Five hours later, LAPSUS$ broke into Okta’s corporate network. This was done through a Virtual Private Network or VPN set up through Sykes, Sitel’s parent company. To ensure they were completely locked out, the hackers created a backdoor on Sykes’ network.
Police arrest several teenagers
It is not 100 percent certain that the attackers used the passwords on the spreadsheet, but it does match the timeline that Demirkapi created. TechCrunch has requested a response from Okta, but received no response.
Last week, British police arrested several young people between the ages of 16 and 21. One of them was a 16-year-old teenager who still lived with his parents. According to Bloomberg news agency, he was the mastermind behind the cyber attacks.
Update (March 30, 2022): Sitel said in a statement that the attackers did not use a password spreadsheet to penetrate the company’s network. “This ‘spreadsheet’ mentioned in recent news articles contained only a list of Sykes’s past account names, but no passwords. The only reference to passwords in the spreadsheet was the date passwords were changed for each account listed; no passwords were included in this spreadsheet. Such information is inaccurate, misleading, and did not contribute to the incident,” Sitel said.
The company also says that it is cooperating on all fronts in a forensic investigation that was set up by an external cybersecurity company. Customers who may have been victims of the cyber attack have been notified.
Catch up on more articles here
Follow us on Twitter here