Identity management software vendor Okta has suffered its fourth cyberattack this year, after some of the company’s source code was taken from a hacked private Github repository earlier this month.
The frequency of the attacks on the company reflects the value of the data it holds, rather than any inherent security flaws in its systems, security researchers believe. However, as each attack exposes more of Okta’s infrastructure, the likelihood of a large-scale supply chain attack akin to the 2020 Solarwinds breach increases.
How the latest Okta breach occurred
GitHub alerted Okta to suspicious activity on the company’s account earlier this month.
A security alert sent out by Okta’s chief security officer, David Bradbury, and seen by Bleeping Computer confirmed the incident. “Upon investigation, we have concluded that such access was used to copy Okta code repositories.”
The attack has so far had a limited impact, Okta said. “Our investigation concluded that there was no unauthorised access to the Okta service and no unauthorised access to customer data,” a company statement said. “Okta does not rely on the confidentiality of its source code for the security of its services. The Okta service remains fully operational and secure.”
The company says the impact of the breach has been limited to Okta Workforce Identity Cloud code repositories, which do not contain customer data. “This event does not impact any other Okta products and we have been in communication with our customers,” Okta’s statement added.
Mis-four-tune befalls Okta
This is Okta’s fourth cybersecurity incident in recent months. In September, Okta-owned authentication service Auth0 suffered a similar attack. Hackers notified Okta that they possessed a copy of certain Auth0 code repositories dating back to October 2020. Again, there was no unauthorised access due to the loss of code, stated Auth0 claimed at the time.
Also in August, security company Group-IB released a report into an attack campaign named 0ktapus. This apparently used Okta credentials to target messaging app Signal, which reported at the time that, “1,900 of their users’ accounts were probably hacked.” The perpetrators used the Okta data to bypass multi-factor authentication, explains the report.
Okta’s most high-profile breach came in March, when the company suffered a cyberattack at the hands of the hacking gang Lapsus$. The gang, which was on a crime spree against Big Tech companies at the time, claimed it had access to Okta’s internal systems by posting pictures of the systems to its Telegram channel.
Why is Okta such a target for hackers?
Okta’s cloud-based software helps businesses build secure authentication and identity control systems for apps and connected devices. The company reported revenue of $1.3bn last year and has grown its user base rapidly in recent years, helped by the acquisition of Auth0 earlier this year. It works with more than 10,000 organisations, and recently signed a deal to provide digital identity services to the US military.
The nature of Okta’s work means it processes a huge amount of valuable data on users, covering personal and professional information it is provided with, and obtains from third-party sources. This can be highly valuable to criminals looking to launch attacks using stolen identities.
This, rather than the security of the company, is likely to be the reason for the frequency of the breaches, argues Raj Samani, senior vice president and chief scientist at security company Rapid7: “We have to acknowledge the importance Okta plays in the security of their customers. It is an organisation that will likely face more targeted attacks than most,” he told Tech Monitor.
Other factors make Okta an appealing target says Bharat Mistry, UK and Ireland lead at security company Trend Micro.
“If you can hack into Okta, grabbing credentials while you can, it opens the door to a number of different platforms,” he says. “Okta is not just used exclusively in the cloud, it’s used in other places as well. Anywhere where you need identity brokering, Okta is probably being used.”
What would the consequences be of such an attack?
This sort of access to so many different organisations has the potential to lead to a supply chain attack, similar to that which hit managed service provider Solarwinds. On that occasion, hackers that breached the MSP’s system were able to gain access to customers, which included US government agencies.
“Such an attack [on Okta] could be more than Solarwinds,” argues Mistry. “Not everybody uses Solarwinds as it’s not quite enterprise-grade in the same way. But with Okta’s reach, the consequences could be devastating. Identity is at the crux of everything, and Okta is prominent in the space.”
With this in mind, the continued breaches being suffered by the company could, in part, be intelligence-gathering missions, says Hanah Darley, head of threat research at security company Darktrace.
“Several breaches affecting the same organisation, as is the case of Okta, can be an indicator that a threat actor is using information or credentials stolen in one breach to regain access through a different route,” Darley says. “A hacker having access to source code, even if it is then changed, means they can study the core logic of the code and gain insights into the operation of an organisation’s back-end infrastructure.”
Understanding a company’s underlying systems is crucial to staging a supply-chain attack, Mistry adds. “If you understand how Okta is doing some of this stuff, understand what the mechanics are behind it, typically around things like encryption, you understand how it can be broken and you can actually start targeting those loopholes,” he says. “That attraction is there, not only for ordinary cybercriminals, but also for their nation-state hackers as well.”