The Lapsus$ hackers used compromised credentials to break into customer service giant Sitel’s network in January, days before subsequently accessing authentication giant Okta’s internal systems, according to documents viewed by TechCrunch that revealed new details of the Cyber intrusions that have not yet been reported have been delivered.
Customers only learned of Okta’s January security breach on March 22, after the Lapsus$ hacking group released screenshots showing it had accessed Okta’s internal applications and systems about two months earlier. Okta acknowledged the compromise in a blog post and later confirmed that 366 of its corporate customers, or about 2.5% of its customer base, were affected by the breach.
The documents provide the most detailed account yet of the Sitel compromise, which allowed the hackers to later gain access to Okta’s network.
Okta is used by thousands of organizations and governments worldwide as a single sign-on provider that enables employees to securely access an organization’s internal systems such as email accounts, applications, databases and more.
The documents obtained from independent security researchers Bill Demirkapi and shared with TechCrunch, include a Sitel customer announcement sent on January 25 — more than a week after hackers first compromised its network — and a detailed timeline of the Sitel breach, as provided by the Incident Response Company Mandiant compiled and shared with Okta on March 17th.
According to the documents, Sitel said it discovered the security breach in its VPN gateways on a legacy network owned by Sykes, a customer service company working for Okta that Sitel acquired in 2021. VPNs, or virtual private networks, are often a target for attackers as they can be exploited to remotely access an organization’s network.
The timeline details how the attackers used remote access services and publicly available hacking tools to compromise and navigate Sitel’s network, giving them deeper insight into the network over the five days that Lapsus$ had access. Sitel said its Azure cloud infrastructure was also compromised by hackers.
According to the timeline, early on January 21, the hackers accessed a table on Sitel’s internal network called DomAdmins-LastPass.xlsx. The filename suggests that the table contained passwords for domain administrator accounts exported from a Sitel employee’s LastPass password manager.
About five hours later, the hackers created a new Sykes user account and added the account to a group of users called “tenant administrators” who have broad access to the organization, likely to create a “backdoor” account for Sitel’s network that the Hackers could use if later discovered and locked out. The Lapsus$ hackers compromised Okta’s network around the same time, according to Okta’s timeline of events.
The timeline shows that the hackers last accessed the Sitel network on January 21 at 14:00 (UTC), about 14 hours after accessing the table of passwords. Sitel has issued a company-wide password reset to try to lock out the attackers.
Okta has been criticized for failing to warn customers earlier about Sitel’s breach after receiving Mandiant’s March 17 report. Okta’s chief security officer, David Bradbury, said the company “should have acted faster to understand the impact.”
Okta was unable to comment when it was reached prior to publication. Sitel and Mandiant did not dispute the content of the reports but declined to comment.
Okta is just one of several high-profile companies targeted by the hacking and extortion group Lapsus$ in recent months. The Lapsus$ group first burst onto the hacking scene in December after targeting the Brazilian Ministry of Health in a cyberattack that stole 50 terabytes of data, including citizens’ vaccination information. Since then, the gang has targeted several Portuguese-speaking companies as well as big tech giants like Samsung, Nvidia, Microsoft and Okta, touting their access and stolen data to the tens of thousands of subscribers to their Telegram channel, while often making unusual demands in exchange for it , that they do not publish their victims’ stolen files,
British police said last week they had arrested seven people, aged between 16 and 21, linked to the incidents.
If you know more about the breach or if you work at Okta or Sitel, contact the Signal Security Desk at 646-755-8849 or email [email protected].