View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 22, 2022updated 28 Apr 2023 9:27am

Okta cyberattacks could lead to supply-chain breach ‘worse than SolarWinds’

The digital identity vendor suffered a fourth attack of the year. Its infrastructure is an attractive target for hackers.

By Claudia Glover

Identity management software vendor Okta has suffered its fourth cyberattack this year, after some of the company’s source code was taken from a hacked private Github repository earlier this month.

Okta has suffered its fourth significant cyberattack of the year. (Photo by T. Schneider/Shutterstock)

The frequency of the attacks on the company reflects the value of the data it holds, rather than any inherent security flaws in its systems, security researchers believe. However, as each attack exposes more of Okta’s infrastructure, the likelihood of a large-scale supply chain attack akin to the 2020 Solarwinds breach increases.

How the latest Okta breach occurred

GitHub alerted Okta to suspicious activity on the company’s account earlier this month.

A security alert sent out by Okta’s chief security officer, David Bradbury, and seen by Bleeping Computer confirmed the incident. “Upon investigation, we have concluded that such access was used to copy Okta code repositories.”

The attack has so far had a limited impact, Okta said. “Our investigation concluded that there was no unauthorised access to the Okta service and no unauthorised access to customer data,” a company statement said. “Okta does not rely on the confidentiality of its source code for the security of its services. The Okta service remains fully operational and secure.”  

The company says the impact of the breach has been limited to Okta Workforce Identity Cloud code repositories, which do not contain customer data. “This event does not impact any other Okta products and we have been in communication with our customers,” Okta’s statement added.

Mis-four-tune befalls Okta

This is Okta’s fourth cybersecurity incident in recent months. In September, Okta-owned authentication service Auth0 suffered a similar attack. Hackers notified Okta that they possessed a copy of certain Auth0 code repositories dating back to October 2020. Again, there was no unauthorised access due to the loss of code, stated Auth0 claimed at the time.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Also in August, security company Group-IB released a report into an attack campaign named 0ktapus. This apparently used Okta credentials to target messaging app Signal, which reported at the time that, “1,900 of their users’ accounts were probably hacked.” The perpetrators used the Okta data to bypass multi-factor authentication, explains the report.

Okta’s most high-profile breach came in March, when the company suffered a cyberattack at the hands of the hacking gang Lapsus$. The gang, which was on a crime spree against Big Tech companies at the time, claimed it had access to Okta’s internal systems by posting pictures of the systems to its Telegram channel. 

Why is Okta such a target for hackers?

Okta’s cloud-based software helps businesses build secure authentication and identity control systems for apps and connected devices. The company reported revenue of $1.3bn last year and has grown its user base rapidly in recent years, helped by the acquisition of Auth0 earlier this year. It works with more than 10,000 organisations, and recently signed a deal to provide digital identity services to the US military.

The nature of Okta’s work means it processes a huge amount of valuable data on users, covering personal and professional information it is provided with, and obtains from third-party sources. This can be highly valuable to criminals looking to launch attacks using stolen identities.

This, rather than the security of the company, is likely to be the reason for the frequency of the breaches, argues Raj Samani, senior vice president and chief scientist at security company Rapid7: “We have to acknowledge the importance Okta plays in the security of their customers. It is an organisation that will likely face more targeted attacks than most,” he told Tech Monitor. 

Other factors make Okta an appealing target says Bharat Mistry, UK and Ireland lead at security company Trend Micro.

“If you can hack into Okta, grabbing credentials while you can, it opens the door to a number of different platforms,” he says. “Okta is not just used exclusively in the cloud, it’s used in other places as well. Anywhere where you need identity brokering, Okta is probably being used.”

What would the consequences be of such an attack?

This sort of access to so many different organisations has the potential to lead to a supply chain attack, similar to that which hit managed service provider Solarwinds. On that occasion, hackers that breached the MSP’s system were able to gain access to customers, which included US government agencies.

“Such an attack [on Okta] could be more than Solarwinds,” argues Mistry. “Not everybody uses Solarwinds as it’s not quite enterprise-grade in the same way. But with Okta’s reach, the consequences could be devastating. Identity is at the crux of everything, and Okta is prominent in the space.”

With this in mind, the continued breaches being suffered by the company could, in part, be intelligence-gathering missions, says Hanah Darley, head of threat research at security company Darktrace.

“Several breaches affecting the same organisation, as is the case of Okta, can be an indicator that a threat actor is using information or credentials stolen in one breach to regain access through a different route,” Darley says. “A hacker having access to source code, even if it is then changed, means they can study the core logic of the code and gain insights into the operation of an organisation’s back-end infrastructure.” 

Understanding a company’s underlying systems is crucial to staging a supply-chain attack, Mistry adds. “If you understand how Okta is doing some of this stuff, understand what the mechanics are behind it, typically around things like encryption, you understand how it can be broken and you can actually start targeting those loopholes,” he says. “That attraction is there, not only for ordinary cybercriminals, but also for their nation-state hackers as well.”

Read more: Vanuatu is showing small nations how to resist big cyberattacks

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.