Cloudflare Inc. disclosed today that one of its internal Atlassian servers was hacked by a suspected nation-state attacker in November and provided details of what occurred so others know the risks.

The hack in question was detected on Nov. 23, Thanksgiving Day in the U.S., with Cloudflare’s security team immediately cutting off the threat actor’s access and launching an investigation. Realizing that the breach was more than minor, CrowdStrike brought in its forensic team on Nov. 26 to perform an independent analysis.

The release today includes the findings from the forensic team’s report. The report found that between Nov. 14 and 17, a threat actor undertook reconnaissance and then accessed Cloudflare’s internal wiki, which uses Atlassian Corp.’s Confluence and its bug database, powered by Atlassian Jira. Further activity was found on Nov. 20 and 21, with the threat actor believed to have returned to test access to ensure they had connectivity.

The threat actor then returned on Nov. 22 and established persistent access to the Atlassian server using ScriptRunner for Jira, gained access to Cloudflare’s source code management system, which uses Atlassian Bitbucket, and tried unsuccessfully to access a console server with access to a data center that Cloudflare had not yet put into production in São Paulo, Brazil.

Where it gets interesting is how the threat actor gained access. It did so through one access token and three service account credentials that had been compromised in the October breach of Okta Inc. To its credit, Cloudflare admits it was a mistake, as it had failed to change the access following the Okta hack. All threat actor access and connections were then terminated on Nov. 24.

It is noted by Cloudflare that no customer data or systems were affected by the event. Cloudflare’s security, including access controls, firewall rules, hard security keys and zero trust tools, limited the attacker’s ability to move laterally across the network. No services were interrupted and no changes need to be made to global network systems or configurations.

The only data the threat actor was able to access during that time was on the Atlassian server. It was found that the attacker was looking for information about the architecture, security and management of Cloudflare’s global network, likely looking for a way to gain a deeper foothold.

In response to the attack, Cloudflare has now, out of a sense of caution, rotated every production credential — more than 5,000 individual credentials — physically segment-tested all staging systems, performed forensic triages on 4,893 systems, and reimaged and rebooted every machine in its global network, including all Atlassian products — Jira, Confluence and Bitbucket.

“This was a security incident involving a sophisticated actor, likely a nation-state, who operated in a thoughtful and methodical manner,” Cloudflare concluded. “The efforts we have taken to ensure that the ongoing impact of the incident was limited and that we are well-prepared to fend off any sophisticated attacks in the future.”

Photo: HaeB/Wikimedia Commons