February 4, 2024 at 12:19PM
Cloudflare disclosed a likely nation-state cyber attack involving unauthorized access to its Atlassian server, leading to exposure of documentation and source code. The breach led to rotating production credentials, system triages, and termination of malicious connections. The attacker exploited stolen credentials from other hacks, prompting increased security measures and engaging cybersecurity firm CrowdStrike for assessment.
Based on the meeting notes, it appears that Cloudflare was the target of a sophisticated nation-state attack, where the threat actor gained unauthorized access to its Atlassian server and obtained access to documentation and a limited amount of source code. The intrusion took place between November 14 and 24, 2023, and the company detected it on November 23.
In response, Cloudflare took significant precautionary measures such as rotating over 5,000 production credentials, physically segmenting test and staging systems, carrying out forensic triages on 4,893 systems, and reimaging and rebooting every machine across its global network. The company identified that as many as 120 code repositories were viewed, with 76 estimated to have been exfiltrated.
The attack was made possible by using stolen access tokens and account credentials associated with various services. Cloudflare acknowledged the failure to rotate these credentials, assuming they were unused. The company also mentioned that the threat actor attempted to access a console server in São Paulo, Brazil.
Cloudflare has taken steps to terminate all malicious connections originating from the threat actor on November 24, 2023, and engaged cybersecurity firm CrowdStrike to perform an independent assessment of the incident.
The company attributes the attacker’s focus to information about the architecture, security, and management of its global network based on the accessed wiki pages, bug database issues, and source code repositories.