In the weeks since digital extortion group Lapsus$ revealed that they had breached identity management platform Okta through one of its subprocessors, tech customers and organizations are still trying to understand the impact of the incident. The subprocessor, Sykes Enterprises, which is owned by business services outsourcing company Sitel Group, confirmed the data breach occurred in January 2022. Now, leaked documents show Sitel’s initial breach notification to customers, which includes customers of Okta, on January 25 – as well as a detailed “Intrusion Timeline” dated March 17.

The documents raise serious questions about the state of Sitel/Sykes’ security defenses prior to the breach. They highlight gaps in Okta’s response to the incident as well. The leaked documents were obtained by independent researcher Bill Demirkapi and shared with WIRED.

Okta said in a statement, “We are aware of the public disclosure of what appears to be a portion of a report Sitel prepared regarding its incident. … Its content is consistent with the chronology we have disclosed regarding the January 2022 compromise at Sitel.” They added, “Once we received this summary report from Sitel on March 17, we should have moved more swiftly to understand its implications. We are determined to learn from and improve following this incident.”

When Lapsus$ published screenshots claiming to have been responsible for the Okta breach on March 21, the company says that they had already received Sitel’s breach report on March 17. But after sitting on the report for four days, they just looked like they were “caught” when they took the information public. The company initially denied an attack when they said “The Okta service has not been breached.” The “Intrusion Timeline” of this incident would presumably be very alarming to a company like Okta, which essentially holds the keys for thousands of major organizations. Okta said that the “maximum potential impact” of the breach was 366 customers.

The timeline, produced by security investigators at Mandiant or based on data gathered by them, shows that Lapsus$ used extremely well known and available hacking tools such as Mimikatz, a password-grabbing tool. From the beginning, the attackers were able to gain enough system privileges to disable security scanning tools that may have helped Okta flag the intrusion sooner. The timeline shows that the attackers initially compromised Sykes on January 16, and then ramped up their attacks on the 19th and 20th.

“The attack timeline is embarrassingly worrisome for Sitel group,” Demirkapi says. “The attackers did not attempt to maintain operational security much at all. They quite literally searched the internet on their compromised machines for known malicious tooling, downloading them from official sources.”

With just the information Sitel and Okta described having right away, it is unclear why the two companies didn’t mount a more urgent response while Mandiant was investigating.

Okta has said publicly that it noticed suspicious activity on a Sykes employee’s Okta account on January 20 and 21, and that they shared the information with Sitel at that time. “Customer Communication” from Sitel on January 25 may have been an indication that even more was wrong that Okta previous knew. The document describes “a security incident… within our VPN gateways, Thin Kiosks, and SRW servers.”

Sitel also does seemingly attempts to downplay the severity of the event. They wrote at the time, “we remain confident that there are no Indicators of Compromise (IoC) and there is still no evidence of malware, ransomware, or endpoint corruption.”

Lapsus$ has been quickly increasing their attacks since their inception in December. They have targeted dozens of organizations on multiple continents, and have stolen highly sensitive data from organizations like Nvidia, Samsung and Ubisoft. Lapsus$ does not spread ransomware, instead threatening to leak the information they steal in extortion attempts. Since the attack on Okta, City of London police officers have arrested 7 people aged 16 to 21, in connection with Lapsus$. All have been released without charges filed and the groups Telegram channel remains active.

Demirkapi says the leaked documents are confounding and that both Okta and Sitel need to be more forthcoming about the sequence of events.

“We take our responsibility to protect and secure our customers’ information very seriously,” Okta chief security officer David Bradbury wrote last week. “We are deeply committed to transparency and will communicate additional updates when available.”

Story via WIRED