The pattern and targets have raised questions on how the group are gaining access so quickly. The leading theories include insider assistance and the breach of a common service in use by all the organizations breached so far. Interestingly, it has also been noted that Lapsus$ has recently released what appear to be authentic screenshots of internal Okta websites.
The release of these screenshots has prompted Okta to being their own internal investigation to determine if there is any truth to the claims by Lapsus$. So far, the Okta security team seems to believe that the screenshots are related to a contained incident that occurred in January. The attack was an attempted compromise of a 3rd party support engineer. Currently they feel there is no data to support either a larger compromise or ongoing threat actor activity. If Okta is not correct in their statement and Lapsus$ hold true to pattern, then we would expect to see a further release of data to support their claim.
So far Lapsus$ has released screenshots that appear to be internal tickets, and chats using Okta’s slack instance. The posts came with a note saying that Lapsus$ was only focusing on Okta customers. The claim would explain a lot. We know that the entry point for the group has been user accounts with access specific information and then used those accounts to carry out the theft. This is one of the reasons that insider assistance is a theory. If on the other hand something like Okta is compromised, then it exposes a list of users. It would allow the group to pick and choose which account they want to target.
Like the Microsoft event, we will not know anything for certain until Lapsus$ releases confirmed information or Okta completes their investigation and makes a public announcement. If Okta is, or has been, compromised then it does not bode well for the security of their 15,000 customers. It means that any one of those customers could be at risk of compromise and by a service specifically intended to prevent account compromise.