Cloudflare, a leader in web infrastructure and DDoS protection, fell victim to a sophisticated cyberattack, believed to be the work of a nation-state actor. The attackers sought persistent and widespread access to Cloudflare’s global network, leveraging stolen credentials from a prior Okta support system breach in October 2023. Despite the elaborate intrusion tactics, Cloudflare’s vigilant response and robust security measures limited the attack’s impact, ensuring no customer data or critical system configurations were compromised.
- Attack Timeline and Tactics: The threat actor initially accessed Cloudflare’s self-hosted Atlassian server on November 14, 2023, later establishing persistent access and infiltrating Cloudflare’s Confluence, Jira, and Bitbucket systems. Attempts to breach a non-production data center in São Paulo were thwarted.
- Credential Misuse: The breach was facilitated by one access token and three service account credentials previously stolen during the Okta breach, which Cloudflare had overlooked to rotate.
- Internal Reconnaissance: The attackers conducted a four-day reconnaissance operation, scoping out Cloudflare’s internal systems and later establishing a rogue Atlassian user account for sustained access.
Security Measures and Response:
- Immediate Containment: Cloudflare detected the malicious activity on November 23, terminated the threat actor’s access by November 24, and initiated a thorough investigation with CrowdStrike’s assistance.
- Comprehensive Remediation Efforts: Cloudflare undertook extensive measures including rotating over 5,000 production credentials, segmenting test and staging systems, conducting forensic triages on 4,893 systems, and reimaging and rebooting every machine across its global network, including all accessed systems and Atlassian products.
- Data Center Security: Equipment in the São Paulo data center was returned to manufacturers to guarantee absolute security, despite the threat actor’s failed access attempts.
Impact and Implications:
- Limited Operational Impact: Cloudflare emphasized that the breach did not affect customer data, services, or global network systems. The meticulous analysis of accessed documentation and source code indicated the attackers aimed to understand the architecture, security, and management of Cloudflare’s global network.
- Source Code Exposure: Though the attackers viewed up to 120 code repositories, only 76 were believed to be exfiltrated, focusing on Cloudflare’s backup processes, global network configuration, identity management, remote access, and use of Terraform and Kubernetes.
The Cloudflare breach, executed by leveraging credentials stolen from a previous Okta incident, underscores the persistent risks associated with supply chain attacks and credential management. The incident highlights the critical need for robust credential rotation policies, comprehensive system monitoring, and the importance of swift, coordinated incident response. While Cloudflare’s swift actions and zero-trust security approach significantly mitigated the breach’s impact, the incident serves as a stark reminder of the sophistication of nation-state actors and the continuous threat they pose to global networks and infrastructures.
Stay safe and informed,