Cloudflare hacked: why and by whom?

(To Alessandro Rugolo)

At the beginning of February the news of the hacking of Cloudflare. In the titles of the magazines we read that the company Cloudflare, an American network security giant, had been hacked by a probable "State sponsored" group. 

The attack, second security week, occurred through the use of credentials stolen during a previous attack (Okta hack). Okta, a provider of online security and identity services, was allegedly hacked in September and reported the loss of data regarding its customers. 

Again from the article by security week at the beginning of February we learned that the information of login stolen during the attack on Okta had not been replaced, allowing the attacker to access the systems Cloudflare starting from November 14.

From what we know so far, we should start asking ourselves some questions:

  1. If a security company receives notification of a loss of access data affecting it, why doesn't it proceed to disable it immediately?
  2. why bring a "State Actor" into play for a hacking attempt based trivially on the use of stolen and still active credentials?

Two questions whose answer is not trivial.

We continue. 

Always according to Cloudflare the attacker had access to several internal systems: 

- an AWS environment;

- the systems Jira e Confluence, by Atlassian, two systems of advanced collaboration used by Cloudflare. Jira in particular it is used to manage system bugs.

Again according to the company's statements, the attacker was able to move within the work environment and had access to 120 repositories of code. Whether or not he downloaded them is unclear. The fact is that the documents to which he had access concerned the operating methods of the backup, the configuration and management of the global network Cloudflare, remote access and the use of Terraform (to put it simply, an IT infrastructure management system) and Kubernetes (for managing workloads and services).

The hacker was identified only on November 23rd, therefore after about 10 days, during which he also managed to install software within the network Cloudflare, a tool red teaming that is called SliverAdversary Emulation Framework and it is open source and freely downloadable from GitHub.

Having said this, let's move on to trying to answer the two questions posed above:

- the answer to the first is quite simple, societies are made up of human beings who have their times, their problems and who make mistakes. Whoever had to deal with it probably underestimated the matter or perhaps, more simply, was busy on holiday or with other matters! You know the result.

- the second question is more difficult to answer. From a media exposure point of view, it is easier to justify a failure if the culprit is an opposing state, more difficult to justify what happened if it turns out that the attacker is a fifteen-year-old novice. Furthermore, the international situation of the United States and Cloudflare's position as a global provider of security services makes it an ideal victim for anyone who wants to claim responsibility for the attack. 

Unfortunately, in my opinion, it is difficult to assert that the attack was "State sponsored" for several reasons. A "State sponsored" attack would somehow be claimed. Furthermore, from reading the various articles it seems that the attacker took a break on "Thanksgiving" day, November 23rd, probably because he was busy celebrating with his family!

So let's give it time. Maybe later something will turn up that will allow us to understand what happened.

PS For the more curious I have included several links at the foot of the page from which you can also understand the damage caused by this attack in terms of control activities, in practice of money spent!

Happy reading.

To learn more: