Why the Okta Breach is Particularly Worrying - Supply Chain Attacks

The infamous LAPSUS$ group has allegedly claimed another breach victim in cybersecurity company Okta following the confirmed theft of data by the group from Samsung, Ubisoft, and NVIDIA. Microsoft is also currently investing an alleged breach of its Azure platform by the group.

Previous breaches by the group has focused on intellectual property such as source code however when publicizing the information about Okta, LAPSUS$ says that it focused not on attacking the company itself but rather to attack its customers. The group also was critical of Okta's security posture, saying its "security measures are pretty poor".

For many a cybersecurity professional, there was a flashback to the SolarWinds hack. With heightened awareness around cybersecurity with the Russian invasion of Ukraine and the Biden Administration warning of imminent cyber-attacks, there are many eyes on the Okta breach and its potential ramifications. It could be the ultimate supply chain attack and particularly worrisome as many as 15,000 organizations rely on Okta for security

There are some that believe that the LAPSUS$ group may be tooting its own horn to gain more notoriety, claiming to have more sensitive data than what they really have. At this point, we do not really know and only time will tell. What we do currently know is that Okta has disclosed that an attacker had access to a company laptop belonging to a support engineer for five days in January 2022. Okta says that there is no evidence of a current, ongoing attack. The potential of cyber-attacks stemming from the breach at Okta has many organizations scrambling to shore up their defenses despite a statement by Okta that their customers do not need to do anything. But for many, there is the fear of another supply-chain attack like SolarWinds where a widely used tool is compromised and then due to that compromise, it is possible that the organization that has deployed the technology could also be breached.

Some customers are not particularly happy that Okta did not disclose the breach until the information was published by LAPSUS$. Interestingly, today the SEC published new proposed amendments that will require public companies like Okta to disclose these types of security incidents within four (4) days of occurring.

Tego Cyber will continue to monitor the situation closely, add indicators of compromise (IoCs) to our threat intelligence feeds when available, and is always available to discuss should anyone have concerns or questions!