Decipher File · January 2022 to March 2022
Okta Sitel Sub-Processor: Lapsus$ Reaches an Identity Provider via a Contractor
The Okta Sitel incident is the cybersecurity identity provider breach that exposed how subcontracted support reaches customer tenants. Between January 16 and 21, 2022, Lapsus$ accessed a Sitel customer support engineer's workstation via RDP, used the engineer's Okta access to view roughly 366 customer tenants, and disclosed the breach publicly through screenshots posted on March 22, 2022.
Incident summary
Okta is an identity provider that brokers single sign-on, MFA, and lifecycle management for thousands of enterprise customers. Per Okta's March 25, 2022 investigation summary, on January 20, 2022 Okta Security detected that a new MFA factor had been added to a Sitel customer support engineer's Okta account. Sitel, through its 2021 acquisition of Sykes Enterprises, provides Okta with contracted customer support engineers.
Mandiant's third-party forensic investigation found that the threat actor had RDP access to the Sitel support engineer's workstation between January 16 and 21, 2022, a five-day window. The actor used the engineer's Okta SuperUser-equivalent access to view information related to approximately 366 Okta customer tenants, or roughly 2.5 percent of Okta's customer base at the time.
Lapsus$ disclosed the breach publicly on March 21-22, 2022 by posting screenshots of the Okta administrator interface on its Telegram channel. Okta's customer disclosure followed shortly after, drawing significant criticism that customers learned of the incident from social media before receiving direct notification from Okta. The two-month delay between detection and customer notification became a defining controversy of the incident.
Attack technique
MITRE ATT&CK maps the operation to T1199 (Trusted Relationship) for abuse of the Okta sub-processor relationship, T1078 (Valid Accounts) for the engineer's credential, T1021.001 (Remote Services: RDP) for the workstation access, and T1213 (Data from Information Repositories) for review of customer tenant data through the Okta admin interface.
Sitel disclosed in a statement reported by Recorded Future on March 28, 2022 that the breach occurred in legacy network infrastructure inherited from the 2021 Sykes acquisition. This pattern, where acquired infrastructure imports unaddressed risk, recurs across multiple identity-vendor incidents and matches the pattern in the 2024 Change Healthcare breach where Optum's acquisition of Change Healthcare imported the no-MFA Citrix portal.
The Okta SuperUser application that the support engineer had access to permits limited administrative actions on customer tenants, including password resets and MFA factor management. Per Okta's investigation, the actor did not modify customer configurations, did not download bulk customer data, and did not access customer Okta tenants directly. The actor reviewed customer tenant data through the engineer's authenticated browser session.
Impact and consequences
Okta initially disclosed in CSO David Bradbury's public statement that the maximum potential impact was 366 customers. The disclosure cadence drew criticism. Cloudflare CEO Matthew Prince publicly called Okta's response 'frankly unacceptable' on March 22, 2022. Cloudflare and other Okta customers proactively reset Okta-issued credentials and audited tenant logs without waiting for direct Okta notification.
Okta's stock price fell approximately 11 percent on March 22, 2022. The reputation impact contributed to a multi-quarter shift in the identity vendor competitive landscape, with prospective customers conducting more rigorous vendor security questionnaires of identity providers, and existing customers reviewing alternatives. Okta announced a new Auth0 Customer Identity Cloud security framework in response.
Lapsus$ continued operations against multiple Fortune 500 targets including Microsoft, NVIDIA, Samsung, Vodafone, Globant, and Uber through 2022. UK police arrested seven suspects in March 2022 in Oxford, and the City of London Police announced charges against multiple Lapsus$-linked individuals later in 2022 and 2023. The UK convictions in August 2023 provided public-record detail on the group's operations.
Indicators of Compromise
Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.
- › RDP access to a Sitel/Sykes support engineer's workstation
- › Use of the SuperUser application within the Okta administrator interface from the engineer's session
- › Lapsus$ Telegram channel posts on March 21-22, 2022 with screenshots of the Okta admin panel
- › Detection by Okta Security on January 20, 2022 of a new MFA factor added to the Sitel engineer's account
- › Sitel acquired Sykes Enterprises in 2021, with the engineer originating from the legacy Sykes environment
Lessons for defenders
Sub-processor risk needs the same controls as direct vendor risk. Sitel as an Okta sub-processor had effective access into customer tenants. Vendor risk management programs that examine direct vendors but not sub-processors miss the actual access boundary. Map sub-processors and apply equivalent security control evidence to each.
Acquired infrastructure inherits risk on day one. Sitel's compromise occurred in legacy Sykes infrastructure from a 2021 acquisition. Cybersecurity due diligence in M&A and time-bound integration runbooks that bring acquired environments to corporate baseline within a defined window close this recurring gap.
Identity provider sub-processor access should be just-in-time, not standing. Okta support engineers had standing access to customer tenant administrative functions through SuperUser. Just-in-time elevation, customer-side approval workflows, and ephemeral access tokens reduce the value of a single compromised support engineer credential.
Disclosure cadence is part of the security control. Okta's two-month gap between detection and customer notification became the defining controversy of the incident and damaged customer relationships beyond the technical impact. Mature incident response playbooks include customer communication SLAs, with the disclosure timeline calibrated to customer detection-and-response needs.
Customers cannot rely solely on vendor-side detection. Cloudflare, BeyondTrust, and others detected vendor-side identity provider issues from the customer side because they monitored their own Okta admin sessions. Customer-side identity event monitoring is a control that survives even when the vendor self-monitoring fails.
Related career roles
The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.
Related Decipher Files
Frequently asked questions
How did Lapsus$ access Okta in January 2022?
Per Okta's March 25, 2022 investigation summary, the threat actor obtained RDP access to a Sitel customer support engineer's workstation between January 16 and 21, 2022. Sitel had acquired Sykes in 2021, and per Sitel's later statement the breach occurred in legacy Sykes infrastructure. The actor used the engineer's authenticated Okta SuperUser session to view approximately 366 customer tenants.
Why was the Okta-Sitel disclosure controversial?
Okta detected the unauthorized MFA factor on January 20, 2022 but did not publicly disclose until Lapsus$ posted screenshots on Telegram on March 21-22, 2022. Customers learned of the incident from social media before receiving direct Okta notification. Cloudflare CEO Matthew Prince publicly called the response 'frankly unacceptable.' The two-month gap defined disclosure-cadence expectations for identity vendors thereafter.
What did Okta change after the Lapsus$ incident?
Okta tightened sub-processor access controls, reduced support-engineer standing privileges, and introduced customer-side notification SLAs for security events. Auth0 Customer Identity Cloud security frameworks were updated. The 2023 Okta support breach and subsequent Secure Identity Commitment in 2024 traced their origins to lessons from this 2022 incident, including expansion of customer-side audit log access.
Sources
- Okta Blog: Okta's Investigation of the January 2022 Compromise · Okta's official March 25, 2022 investigation summary
- Okta CSO David Bradbury Public Update on Lapsus$ · Okta's March 22-23, 2022 public statements
- Sitel Statement on Sykes Network Compromise via Recorded Future · March 28, 2022 Sitel statement attributing the breach to legacy Sykes infrastructure
- Dark Reading: Okta Says 366 Customers Impacted via Third-Party Breach · Reporting on Okta's customer impact disclosure
- CISA Joint Advisory AA22-074A: Lapsus$ · Federal advisory on Lapsus$ TTPs and IOCs
- DOJ UK and Brazilian National Charges Related to Lapsus$ · Subsequent UK and Brazilian arrests of Lapsus$ members in 2022 and 2023
DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
Get Cybersecurity Career Intelligence
Weekly insights on threats, job trends, and career growth.
Unsubscribe anytime. More options