In a bold assault, nation-state-backed disruptors attempted to delve into the bowels of Cloudflare’s global network. Leveraging stolen credentials linked to the Okta hack in October 2023, cybercriminals managed to infiltrate Cloudflare systems.
The company detected the malicious activity on November 23, 2023, taking immediate measures to cut off access to the invader on November 24. Cloudflare’s cybersecurity team launched a forensic investigation on November 26, unraveling the intrusion.
Faced with this unprecedented threat, Cloudflare staff acted decisively. They rotated over 5,00 production credentials, isolating test and scenario systems, performing a thorough forensic evaluation on 4,893 systems. All Atlassian servers (Jira, Confluence, and Bitbucket) and machines accessed by the attackers were redeployed and rebooted into the company’s global network.
Despite the attackers’ attempts to infiltrate Cloudflare’s data center in São Paulo, all maneuvers failed. To ensure the security of the data center in Brazil, all equipment was returned to the manufacturers.
Although the corrective measures concluded on January 5, Cloudflare continues to work tirelessly on strengthening its systems. The focus is on credential and vulnerability management, as well as hardening the software to prevent future attacks.
In a reassuring message, Cloudflare assures its customers that the breach did not affect customer data or systems. Cloudflare’s services, global network, and configuration remained intact. Despite the intrusion, the company highlights that the threat was contained and minimized, avoiding significant impacts.
The investigation reveals that the attackers sought detailed information about the architecture, security, and management of Cloudflare’s global network. The company, in collaboration with industry and government colleagues, maintains that this attack bears the signature of a nation-state-backed actor, with the goal of gaining persistent and widespread access to Cloudflare’s global network.
This is not Cloudflare’s first run-in with cyber threats. Previous intrusion attempts were blocked in August 2022, when attackers attempted to use stolen employee credentials in a phishing attack but were stopped due to the absence of company FIDO2 security keys in the victims’ possession.
The company urges the community to remain vigilant and reinforces its commitment to maintaining the integrity and security of its global systems. In an era where cyberattacks are increasingly preferred, Cloudflare demonstrates its ability to resist and evolve in defending enterprise cybersecurity.