Under Costa Rica’s sunny skies, in a pastel-colored office space northwest of the capital San José, employees are beavering away in their cubicles, answering calls and providing tech support for customers. They work for a little-known outsourcing firm called Sykes. Most people have never heard of the company, even though it’s now part of Sitel Group, one of the world’s largest call-center providers. According to LinkedIn profiles, its staff have done contract work for companies that are instantly recognizable, such as Amazon and Cisco, to name two.
Working as a Sykes customer-support employee requires access to data of the contracting company’s big-name clients. That access, it turns out, is very attractive to hackers. So it was in January, when an enigmatic hacker collective called LAPSUS$ managed to get hold of an account belonging to a Costa Rica-based Sykes employee who happened to be providing customer service to users of Okta, one of the biggest providers of “single sign-on” software, which lets customers use one password across numerous apps, requiring only a one-time code to get into an account. It’s supposed to offer tighter security. But as the Sykes hack showed, there are ways for cybercriminals to get to Okta customers’ data without directly targeting Okta. With the compromised Sykes account, the hackers managed to snoop on 2.5% of Okta’s customers, which appeared to include $30 billion web-security provider Cloudflare and 365 others. Hackers had the ability to reset passwords and scoop up customer information.
Sykes confirmed to Forbes that “parts” of its network were hacked in January, claiming it didn’t believe any serious breach had occurred and there was no longer a risk for its corporate customers (or for the customers of its customers). Okta later said that the breach lasted five days and allowed the hackers to reset passwords and those one-time codes.
Asked if any other customers were hit in the January breach at Sykes, a Sitel spokesperson said, “We are unable to comment on our relationship with any specific brands or the nature of the services we provide for our clients.”
Okta’s chief security officer, David Bradbury, said in a webinar Wednesday that it only received a full forensic report from Sitel on Monday, having been initially warned in January about a potential breach. He admitted, however, that Okta received a summary report last week about the hack, and that the company should have moved quicker to act on those initial findings. The report revealed that a hacker had gained access to a Sitel technician’s computer via what’s known as remote desk protocol (RDP), which provides access to a system from afar.
What the hack showed is how outsourcing technical support presents a risk to any company and its customers’ data. While a company can outsource its employee functions, it can’t outsource the risk and reputational damage when things go awry at the contractor. And that’s a factor that the LAPSUS$ crew, which often demands payment from victims to stop it from leaking data, has been exploiting in earnest.
Cybercriminals have long targeted low-paid tech-support workers who have “access to the keys of the kingdom,” said Allison Nixon, chief research officer at cyber investigations business Unit 221B.
In focusing on Okta, LAPSUS$ had managed to misdirect everyone from the initial breach at Sykes, Nixon said. “It’s kind of like a magic trick. All eyes are drawn to Okta, but right in front of you, the magician is doing something else that’s even more interesting … and that’s Sitel and the third-party call centers that LAPSUS$ is targeting.” The hackers did that to avoid giving the game away that they were going after call centers, she said.
Yet it’s by exploiting this vulnerability that LAPSUS$ is able to break into top-tier companies and gain levels of access that an advanced government hacking group “would drool over,” Nixon said.
Big tech companies know it, too. LAPSUS$ had previously claimed to have stolen data from Microsoft, Samsung, Nvidia, and other major tech companies. On Tuesday, Microsoft confirmed it was a victim of a LAPSUS$ attack, in which one of its company accounts was hacked and used to pilfer company source code. That came days after LAPSUS$ claimed to have leaked some Bing, Bing Maps, and Cortana source code. Microsoft didn’t say whether the compromised account belonged to an internal employee or a contracted one, but in a blog post on Tuesday analyzing the LAPSUS$ crew’s activities, Microsoft said it “found instances where the group successfully gained access to target organizations through recruited employees (or employees of their suppliers or business partners).” It pointed to one advertisement in which LAPSUS$ offered to buy company passwords. Microsoft — which pointed to other ways LAPSUS$ breached organizations via passwords bought from criminal forums and malware that stole logins — didn’t respond to requests for comment on how this initial breach occurred.
Companies often don’t do enough due diligence to check on the security of a third-party provider, said Cesar Cerrudo, chief research officer at cybersecurity company Strike. “Sometimes you just get asked to sign a checkbox, that you’re [legally] compliant and that you do security and penetration tests or whatever,” Cerrudo said. “But it’s just a checkbox on a form on a contract.”
Raj Samani, the chief scientist at security company Rapid7, said the Okta and Sykes breaches should act as a clarion call to businesses to make sure they’re checking who has access to what on their network. “We’ve got to get organizations to start considering, what are we doing to track our incident-response workflows, what are we doing to analyze our Slack channels,” he said. That goes right down to checking the identity of everyone on a group call, where an impostor might be present. “A zero trust” model should be adopted, he said.