Cloudflare Breached by Suspected State-Sponsored Threat Actor Accessing Source Code and Internal Documents

Cloudflare, a well-known web security company and content delivery network, recently disclosed a concerning security breach orchestrated by a suspected state-sponsored threat actor. The incident, unveiled on November 23, involved the unauthorized access to internal systems through stolen credentials, initially compromised during the October 2023 Okta hack.

Exploiting Stolen Credentials

The threat actor exploited these credentials to infiltrate Cloudflare's internal wiki and bug database, conducting reconnaissance activities starting from November 14. Despite network segmentation hindering access to certain critical systems, the attackers managed to penetrate Cloudflare's AWS environment and Atlassian suite, including Jira and Confluence.

Within the Atlassian suite, the attackers scoured for information related to Cloudflare's network infrastructure, focusing on keywords like "remote access," "secret," and "token." They even created a persistent Atlassian account to ensure continued access. Additionally, they deployed the Sliver Adversary Emulation Framework to gain further access and attempted to breach a non-operational data center in São Paulo, Brazil.

Cloudflare's Swift Action Plan

While the attackers accessed and downloaded source code repositories, Cloudflare promptly responded by rotating encrypted secrets and terminating unauthorized accounts. Firewall rules were implemented to block the attackers' IP addresses, and extensive security measures were undertaken, including the re-imaging and rebooting of all machines within Cloudflare's global network.

Despite the thorough investigation by Cloudflare and CrowdStrike, no evidence suggested further compromise beyond the accessed systems. The company remains vigilant, continuously improving its security measures to prevent future breaches and safeguard its infrastructure against sophisticated threats.