Cloud Breached: Nation-State Hacker Infiltrates Cloudflare’s Code

Cloudflare recently unveiled details of an incident in which state-sponsored spies are believed to have gained access to Atlassian’s internal system using credentials stolen during a security breach at Okta in October.

According to Cloudflare, the breach within Atlassian’s system was detected on November 23, 2023, and by the following day, the intruders had been expelled from the system. Company representatives stated that the attack aimed to secure persistent access to Cloudflare’s global network.

During the Okta security breach in October, which affected over 130 clients, attackers stole data to further compromise organizations. Cloudflare, which utilizes Okta as an identity provider integrated with Cloudflare Access to ensure secure user access to internal resources, also suffered from the attack.

Cloudflare’s leadership reported that the spies sought information on remote access, secrets, and tokens, and showed interest in 36 Jira tickets out of more than 2 million. These tickets related to vulnerability management, secret turnover, bypassing multifactor authentication, network access, and even the business response to the Okta incident.

Cloudflare stated that hackers obtained one service token and three sets of service account credentials through the Okta compromise in 2023. Initially, Okta claimed the stolen information was relatively harmless and could be used for phishing or social engineering. However, it turned out that among the stolen data were session tokens that allowed access to the networks of companies like Cloudflare.

The attackers used the stolen data to access Cloudflare systems, including an internal wiki based on Confluence and a Jira bug database, from November 14 to 17, 2023. Further accesses were detected on November 20 and 21, after which the cybercriminals established a permanent presence on the Atlassian server via ScriptRunner for Jira.

The spies’ interest in secrets and tokens is also evidenced by their review of 120 code repositories in Bitbucket out of nearly 12,000. The repositories were primarily related to backup principles, configuration, global network management, identification, remote access, as well as Terraform and Kubernetes. According to the CDN company, some contained encrypted secrets, which were immediately replaced, though they were securely encrypted.

The attack was repelled on November 24, 2023, after which the company began assessing the damage and investigating the incident. As part of the enhanced security measures, Crowdstrike was engaged for an independent assessment.

Cloudflare takes the incident seriously, despite the limited operational impact, and is committed to managing credentials, enhancing software security, and improving the alert system. The “Code Red” project, aimed at mitigating the breach’s aftermath, concluded on January 5, 2024, but efforts to enhance security within the company continue.