Nation-state actor used stolen Okta credentials in Thanksgiving attack, Cloudflare says

Senior executives at networking giant Cloudflare said a suspected nation-state attacker used credentials stolen from Okta to breach the company’s systems in late November.

In a blog post Thursday afternoon, Cloudflare CEO Matthew Prince and others said the company detected on Thanksgiving Day a threat actor on its self-hosted Atlassian server.

“Our security team immediately began an investigation, cut off the threat actor’s access, and on Sunday, November 26, we brought in CrowdStrike’s Forensic team to perform their own independent analysis,” Prince said.

The CrowdStrike investigation, which was completed Wednesday, found that the threat actor did reconnaissance from November 14 to 17 and accessed several internal systems, including their internal wiki and their bug database.

The hacker came back on November 20 and 21, gaining access to Cloudflare’s source code management system.

The actor attempted to access other systems using access tokens and service account credentials that were stolen during a widely-publicized October breach at Okta.

All of the hacker’s access to Cloudflare systems was shut off on November 24.

“Even though we understand the operational impact of the incident to be extremely limited, we took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code,” Prince wrote.

“Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation state attacker with the goal of obtaining persistent and widespread access to Cloudflare’s global network.”

According to Prince, the company began a wide-ranging effort to ensure the hackers did not have persistent access to any other systems. Cloudflare’s investigation, as well as Crowdstrike’s, revealed that the hacker behind the incident was likely “looking for information about the architecture, security, and management” of Cloudflare’s global network.

Cloudflare rotated every production credential — about 5,000 of them — and physically segmented test and staging systems in an effort to “prevent the attacker from using the technical information about the operations of” their network as a way to get back in.

The company also replaced hardware used in a data center in São Paulo that the hacker tried to get into.

“This was a security incident involving a sophisticated actor, likely a nation-state, who operated in a thoughtful and methodical manner. The efforts we have taken to ensure that the ongoing impact of the incident was limited and that we are well-prepared to fend off any sophisticated attacks in the future,” Prince added.

The incident revived stiff criticism Cloudflare had of Okta about its October incident, where hackers “gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers.” In addition to Cloudflare, security companies like 1Password and BeyondTrust were affected.

Okta is a major single sign-on provider that allows people to use one account to log into multiple digital services.

Despite being told by multiple cybersecurity company customers that there was an issue, Okta waited weeks before addressing the incident. After the attack was uncovered, Cloudflare said Okta needed to “take any report of compromise seriously and act immediately to limit damage.”

Cloudflare slammed Okta for allowing the hacker to stay in its systems from October 2 to October 17 despite being notified by BeyondTrust. Cloudflare also called for “timely, responsible disclosures” to customers after breaches are identified.

At the time, Cloudflare published its own blog notifying customers that hackers tried to attack their system on October 18 using an authentication token compromised at Okta. An investigation found that no Cloudflare customer information or systems were impacted.

“This is the second time Cloudflare has been impacted by a breach of Okta’s systems. In March 2022, we blogged about our investigation on how a breach of Okta affected Cloudflare. In that incident, we concluded that there was no access from the threat actor to any of our systems or data – Cloudflare’s use of hard keys for multi-factor authentication stopped this attack,” Cloudflare said last October.

Okta eventually defended the delay in its discovery, attributing it to mistakes made in identifying the hacker’s activities.