Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More

An independent security researcher has posted a purported detailed timeline for the Lapsus$ breach of a third-party Okta provider in January, produced by the forensic firm that investigated the incident, identified as Mandiant.

The researcher, Bill Demirkapi, said he had obtained copies of the Mandiant report on the breach, and posted the timeline from the report today on Twitter.

The third-party support provider, Sitel, hired the cyber forensic firm to investigate the breach. Sitel did not respond to a request for comment Monday.

In response to an inquiry about Demirkapi’s post, Okta did not dispute the documents. “We are aware of the public disclosure of what appears to be a portion of a report Sitel prepared regarding its incident,” Okta said in a statement provided to VentureBeat on Monday.


Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.


Register Now

The content of the documents is “consistent” with the timeframe for the breach previously disclosed by Okta, the company noted.

Mandiant declined to comment, and did not dispute the documents or its involvement in the investigation of the Lapsus$ breach.

Last Tuesday, Okta disclosed that the hacker group Lapsus$ had accessed the laptop of a Sitel customer support engineer from January 16-21, giving the threat actor access to up to 366 Okta customers. The incident was only disclosed by Okta after Lapsus$ posted screenshots on Telegram as evidence of the breach.

Okta said it had received a summary report about the incident from Sitel on March 17.

In a tweet, Demirkapi said that “even when Okta received the Mandiant report in March explicitly detailing the attack, they continued to ignore the obvious signs that their environment was breached until LAPSUS$ shined a spotlight on their inaction.”

In the statement provided to VentureBeat on Monday, Okta said that “once we received this summary report from Sitel on March 17, we should have moved more swiftly to understand its implications.”

“We are determined to learn from and improve following this incident,” Okta said in the statement Monday.

New details

The purported Mandiant timeline starts on January 16, with the initial compromise of Sitel. That’s in contrast to the timeline provided by Okta, which starts on January 20 and does not include any details about what happened prior to that point.

Lapsus$ did not begin investigating the compromised system until January 19, according to the timeline posted by Demirkapi.

On that day, the threat actor did a Bing search for privilege escalation tools on GitHub, the purported Mandiant timeline says. “With little regard for OPSEC, LAPSUS$ searched for a CVE-2021-34484 bypass on their compromised host and downloaded the pre-built version from GitHub,” Demirkapi said in a tweet.

The threat actor “bypassed the FireEye endpoint agent by simply terminating it,” then “simply downloaded the official version of Mimikatz (a popular credential dumping utility) directly from its repository,” Demirkapi said.

The attacker created backdoor users within Sitel’s environment and “finished off their attack by creating a malicious ’email transport rule’ to forward all mail within Sitel’s environment to their own accounts,” Demirkapi wrote in a tweet.

A top question for Okta is, “You knew that the machine of one of your customer support members was compromised back in January. Why didn’t you investigate it? Having the capability to detect an attack is useless if you aren’t willing to respond,” Demirkapi said on Twitter.

‘Made a mistake’

On Friday, Okta released an apology for its handling of the January breach. The identity security vendor “made a mistake” in its response to the incident, and “should have more actively and forcefully compelled information” about what occurred in the breach, the company said.

The apology followed a debate in the cybersecurity community over Okta’s lack of disclosure for the two-month-old incident. The Okta statement on Friday stopped short of saying that the company believes it should have disclosed what it knew sooner.

However, Okta has said that the support engineers at Sitel have “limited” access, and that third-party support engineers cannot create users, delete users or download databases belonging to customers.

“We are confident in our conclusions that the Okta service has not been breached and there are no corrective actions that need to be taken by our customers,” Okta said on Friday. “We are confident in this conclusion because Sitel (and therefore the threat actor who only had the access that Sitel had) was unable to create or delete users, or download customer databases.”

Earlier this month, Google announced a $5.4 billion deal to acquire Mandiant.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.