Breach, Risk Assessments/Management

How Lapsus$, Okta attacker, typically preys on insiders

Today’s columnist, Tarun Desikan of Banyan Security, writes that the Okta incident could have happened to any SaaS provider. (“President Barack Obama Keynote at Oktane18” by aaronparecki is marked with CC BY 2.0. To view the terms, visit

The cyber threat scene burns again with the stunning announcement of the breach at the authentication company Okta. Of its 15,000 global customers, which include Sonos, T-Mobile, the FCC, and Peloton, an estimated 2.5% have been directly affected by yet another supply chain incident. This means hundreds of businesses are now somewhere in the process of incident response procedures. The facts of the matter have shocked professionals across the industry and resurfaced concerns of insider threats, vendor practices, and supply chain vulnerabilities.

Lapsus$ preys on the disgruntled

The group behind this hack is the highly unconventional group known as Lapsus$. It’s rumored that the group's masterminds are a 16-year old from Oxford, England, and another teenager from Brazil. They have evidently already tackled behemoths such as Microsoft and Nvidia, among other high-profile names. Their methodology typically relies on disgruntled employees, rather than sophisticated hacking or social engineering skills. Lapsus$ recruits privileged staff members of target organizations on Telegram, offering financial incentives in return for credentials or sensitive information that enable intrusions and unauthorized access to source code and customer data. The bigger the fish, the higher the prize.

Recently Telegram threads revealed the group's Superuser and Admin access to Okta systems. The company responded cryptically at first stating that there was no evidence of an ongoing attack, while acknowledging that the incident was known about in January. Then Okta admitted that some 366 customers were hacked.

Big realities and insider threats

So if Okta, a bonafide IT security company gets breached, then the implications for many others are significant.

Lapsus$ has become well known for its financial extortion over the exposure of its victims. Companies typically pay up due to the existential financial, regulatory, and legal risks to the organization resulting from the breach. Okta has entered into a precarious risk position, as it’s a component of IT protection in the chain of access to countless client networks.

Organizations across the board are facing the reality of insider threats with an entirely new twist: incentivized markets. Cybercriminals can offer lucrative financial exchange for undermining security from the inside, for example on the underground market Genesis where Lapsus$ has been active. Buyers in this market can find and solicit for source cookies and web tokens, many of which are configured to never expire. A hacker with these digital assets can assume the identity of an authorized privileged user on almost any tool, bypassing multi-factor authentication and other sign-in protections.

It gets worse

Of all the concerns that have emerged from this incident, two glaring components are the timeline of events and Okta’s public response. From what they have shared, it has been at least two months since the incident was first discovered. As of now, they have continued to downplay the impact while the community needs transparency into the matter. This includes current incident detection and non-detection rate data from its affected customer base. It's possible legal complications may have stood in the way of full transparency, but that does not absolve Okta's slow and vague responses.

The industry needs continued analysis and understanding of this incident. Immediately, we must review all possible opportunity points. In the coming weeks we’ll see a common response throughout the industry in the form of patches and updates. If they pertain to a specific technology used at any one company, then it’s important to implement these patches immediately. More importantly, the organization needs to have and maintain a cyclical and proactive program of patching across the board.

Organizations will also want to switch vendors. While this might make sense, it’s really a reactive response. As an important part of a response, rely on multi-factor authentication (MFA) as part of a chain of protections, but not the sole arbiter of security. Think of cybersecurity as a total concept that includes a few of the following core fundamentals that come into mind in light of the Okta case:

  • Require information from all vendors regarding Okta usage.
  • Review all third-party and vendor access.
  • Blacklist and filter passwords.
  • Combine MFA with complex passwords.
  • Protect and monitor privileged accounts.
  • Protect all identities from impossible travel and banned IP regions.
  • Limit the quantity and duration of privileged access browser sessions.
  • Rotate the passwords for all high privilege accounts (going back at least three months in this case).
  • Store logs and review them for suspicious activities.
  • Develop and pressure test a disaster recovery solution.

Time for comprehensive security

The Okta hack stands as just the latest incident, and it won’t be the last. As long as there are companies with weak security that are willing to pay the ransom, it will never end. Other than keeping employees happy so that they don’t get recruited by Lapsus$, we must focus our attention on comprehensive security solutions that mitigate these novel vectors of breaches. The sky is not falling. The IT industry will emerge out of this situation better, more adapted, and prepared than before.

Organizations surely need to stay on high alert, but most will endure and limit the damage in case of a breach. Moving forward, companies will have to detect and prevent attacks from the inside to protect critical systems.

Emil Sayegh, president and CEO, Ntirety

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.