Cloudflare Thwarts Nation-State Cyber Attack Exploiting Okta Breach Credentials

Cloudflare, a leading internet infrastructure provider, has successfully defended against a sophisticated cyber attack believed to be orchestrated by a nation-state entity. The incident, disclosed by the company on Thursday, was linked to a prior security breach at Okta last October. Cloudflare’s swift response ensured that no customer data or systems were compromised.

The attack, which was initially detected on Thanksgiving Day (Nov. 23), aimed to secure persistent and extensive access to Cloudflare’s global network. The company’s internal investigation revealed that the attacker gained entry to Cloudflare’s internal wiki, a bug database, and accessed a limited portion of the source code. Cloudflare’s security team immediately intervened, blocking the attacker’s access and enlisting cybersecurity firm Crowdstrike to validate their findings and fortify their defenses.

Investigations traced the origin of the attack back to the breach at Okta, a single sign-on provider. During the Okta incident, customer support records were exposed, including cookies and session tokens belonging to Okta clients. These stolen credentials could potentially allow hackers to impersonate legitimate users, a vulnerability the attacker exploited to infiltrate Cloudflare’s systems.

Cloudflare had initially succeeded in repelling the attacker’s attempts to access its systems and took measures to invalidate all session tokens exposed in the Okta breach. However, the company later discovered that one service token and three service accounts, believed to be unused and therefore not rotated, provided the hacker with initial access to Cloudflare’s systems, specifically to its Atlassian products.

The hacker commenced probing Cloudflare’s systems on Nov. 14, but due to the limited access granted by the compromised session tokens, their reach was confined to internal tools hosted on Cloudflare’s Atlassian servers, such as the internal wiki and bug database. Further attempts to infiltrate Cloudflare’s dashboard and Okta instance were thwarted, and an unsuccessful effort to access a console server in São Paulo, Brazil, was also recorded. By Nov. 24, Cloudflare successfully eradicated the hacker from its systems.

Following the attack, Cloudflare initiated a ‘Code Red’ operation to reinforce its security measures, which included updating over 5,000 production credentials and reinstalling all machines within its global network. This comprehensive effort concluded on January 5, but the company continues to enhance its security protocols across various domains.

As part of its post-incident analysis, Cloudflare is scrutinizing the exposed source code for potential vulnerabilities and embedded secrets. While much of Cloudflare’s source code is publicly accessible, the primary concern centers around the possibility of embedded secrets or vulnerabilities within the code.

In the wake of the attack, Cloudflare has shared “indications of compromise” to assist other Okta clients in determining if their systems have been targeted. This collaborative approach reflects the industry’s collective endeavor to combat sophisticated cyber threats and safeguard digital infrastructures against nation-state adversaries.