A curated list of phishing attacks on employees at Sitel Okta Microsoft Globant Nvidia T-Mobile Cloudflare and Twilio
This article documents a chain of Phishing-led cyberattacks on big organizations by a group called Lapsus$. It’s far from an extensive list though. The technique used for every single one of these attacks, without exception, is the same old, unsophisticated social engineering technique that was first discovered on the AOL network in 1996 — where I was one of the first people hackers impersonated on the Internet. Hackers impersonated senior people like me and community admins at AOL, inside email, chatrooms, and IM. Their aim was to trick AOL members into giving up control of their account, so they could trade it for money or software.
- Security vendors say phishing is new and sophisticated — that’s bullsh!t and it must stop.
- Almost every journalist and security writer refers to phishing-led attacks as “new and sophisticated” also, because they don’t know any better — that’s what they’re being told by security vendors.
- Most people who read what security vendors and writers have to say, have little choice but to believe phishing is new and sophisticated.
This is NOT a timeline for all phishing-led attacks, that would require me to break everything down by the hour or minute. I don’t have time to document all of that, and no person should have enough time to be able to read it. This timeline is key because it involves companies that claim to protect people from the kind of attack they fell for.
It’s time to stop victim shaming employees. It’s time to ask:
- What security controls did the breached organization have in place?
- Why did those security controls fail to detect the phishing attack before it reached an employee?
January 2022 — Sitel
- Sykes (acquired by Sitel) was breached by a group of cybercriminals who targeted an employee with a phishing-led attack that provided access to a customer support engineer’s laptop.
- Sitel is a customer support provider to Okta.
- Okta is a security company that provides authentication services to thousands of organizations around the world, including Cloudflare and Twilio.
March 2022 — Okta
- #Lapsus$ took responsibility for the attack on Sitel, sharing screenshots of Okta’s internal systems in a Telegram channel.
- The attacker accessed 2 of Okta’s active customer tenants within the SuperUser application, and viewed additional information in other applications like Slack and Jira.
- Okta concluded that 400 of its customers were potentially impacted. More here.
- Microsoft confirmed Lapsus$ compromised their network through a phishing-led attack on their employees.
- Microsoft is one of the biggest security vendors in the world, generating many billions of dollars every year from selling anti-phishing security solutions that are flawed by design. If they weren’t flawed, their own employees wouldn’t fall for phishing attacks as often as they do. More here.
- Globant said a cyberattack on their network and customer data may have started through a compromised employee account — i.e. phishing.
- Following the attack, Lapsus$ shared screenshots of a file directory that contained names of several companies, including tech giants Facebook, the Apple Health app, DHL, Citibank and BNP Paribas Cardiff, among others. More here.
- Nvidia confirmed that it was hacked by Lapsus$, leaking employee credentials and proprietary information onto the internet. Lapsus$ claimed to have had around a terabyte of data from Nvidia. More here.
- T-Mobile confirmed that Lapsus$ gained access to their system with stolen credentials.
May 2022 — July 2022
- There was a quiet period between May and July. If I had to guess, I’d say this time was used by members of Lapsus$ to plan and prepare their SMS-led phishing attacks — using Okta’s brand, and Okta’s customer data that was stolen during the attack on Sitel.
- Twilio employees fell for an SMS phishing attack that led to some of their customers being compromised. Attackers (Lapsus$) impersonated one of Twilio’s own URLs and a Twilio/Okta login page.
- Okta is Twilio’s security provider for identity management. More here.
- 3 Cloudflare employees fell for an SMS phishing attack. Attackers (Lapsus$) impersonated one of Cloudflare’s own URLs and an Cloudflare/Okta login page.
- Okta is Cloudflare’s security provider for identity management. More here.
- Here’s an article I wrote to explain what happened, and why Cloudflare was able to protect their customer data in a cyberattack that was similar to the one that breached Twilio’s network, compromising some of their customer data.
August 2022 onwards
- We have every reason to believe more phishing-led attacks are being planned and executed as you read this article. Why would we think otherwise?
What is phishing?
Almost every security company I’ve researched defines phishing as a social engineering technique used to obtain sensitive information such as usernames & passwords and credit card details. PhishTank only permits webpages designed to steal usernames and passwords should be included in their URL blocklist. They decline submissions for phishing threats that are associated with malware or ransomware attacks.
I believe phishing is much more.
My definition of phishing
Phishing is the practice of impersonating people and organizations on the Internet
Phishing drives 90% of online fraud, data breaches, identity theft, malware and state-sponsored attacks. It’s not just about the theft of personal information.
Why phishing is not new or sophisticated
TLDR; The phishing-led attacks that we see today were first discovered on the AOL network in 1996. That was a very long time ago. To put that into perspective, Google wasn’t founded until 1998, and most of the Chrome engineers who represent Google across standards bodies today, didn’t graduate from college until the 2000s. More here.