Home / Threat Intelligence bulletins / Okta discloses details regarding data breach

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Okta, the identity services provider, has disclosed details regarding a data breach of its support case management system that occurred in October 2023. Following the initial compromise, evidence of malicious cyber operations has been detected that involved the exfiltration of sensitive data, such as names and email addresses of all Okta customer support system users.

Although attribution of a threat actor group responsible for the data breach cannot be made with absolute certainty, it has been assessed that there is a realistic possibility that the financially motivated cybercriminal group tracked as “Scattered Spider” has been involved based on the recent social engineering operations conducted by the group aimed at Okta as recently as August 2023.

Impact

Okta has stated that all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) clients have been impacted, with the exception of those in the FedRamp High and DoD IL4 environments. It has been assessed that as a result of the threat actor operations within the affected Okta systems, there has almost certainly been total loss of confidentiality, availability, and integrity of sensitive Personally Identifiable Information (PII).

Compromised Systems

Okta Workforce Identity Cloud (WIC)

Okta Customer Identity Solution (CIS)

Indicators of Compromise

Please refer to the Quorum Cyber Threat Intelligence Scattered Spider Threat Actor Profile for further details regarding Indicators of Compromise (IoCs) attributed to Scattered Spider.

Threat Landscape

The threat posed by Scattered Spider has surged significantly within recent months as intelligence gathering has revealed that the financially motivated cybercriminal group has become an ALPHV (BlackCat) ransomware affiliate that has led to the expansion of its operational protocols to include infiltrating cloud and on-premises environments to deploy file-encrypting ransomware.

It has been assessed that these expanded offensive capabilities have been adopted by Scattered Spider threat actors to allow them to remain relevant within the cyber threat landscape and to achieve their pre-defined objectives with greater efficiency. As such, organisations within all industry verticals should maintain a high level of vigilance surrounding offensive cyber campaigns launched by the threat actor group.

Threat Group

Intelligence indicates that Scattered Spider recently infiltrated an unnamed organisation and gained access to an IT administrator’s account via Okta single sign-on (SSO), followed by laterally moving from the identity-as-a-service (IDaaS) provider to the on-premises assets.

Scattered Spider (also known as UNC3944 and Roasted 0ktapus) is a financially motivated threat actor group that has been active since at least May 2022. Scattered Spider routinely gains initial access to the target environment via the theft of administrative credentials by email and SMS phishing attacks or the deployment of stealware. Once credentials have been obtained, Scattered Spider uses these to impersonate the administrator and leverage sensitive data to gain access to the environment. Furthermore, they have also been observed conducting phishing operations against other users by leveraging the employee database. This is likely to maintain persistence and provides them with lateral movement within the network.

Mitre Methodologies

Please refer to the Quorum Cyber Threat Intelligence Scattered Spider Threat Actor Profile for further details regarding the tactics, techniques, and procedures (TTPs) that are leveraged by Scattered Spider within its offensive cyber protocols.

Further Information

Quorum Cyber Threat Intelligence ALPHV Ransomware Report

Okta Data Breach Notification

RELIAQUEST Scattered Spider Attack Analysis