The Cloudflare Hack: A Hacker, 5000 Credentials, and Operation Code Red

In a significant cybersecurity incident, Cloudflare, a leading web security and performance company, disclosed that it had been targeted by a sophisticated hacking attempt by a nation-state actor. The attack, which took place in November 2023, involved the compromise of Cloudflare’s self-hosted Atlassian server.

The threat actor conducted reconnaissance between November 14 and 17, targeting Cloudflare’s internal wiki and bug database. They returned on November 22, establishing persistent access through ScriptRunner for Jira, and attempted to infiltrate Cloudflare’s source code management system and a console server linked to an unlaunched data center in São Paulo, Brazil.

This breach was facilitated by credentials obtained from the Okta compromise in October 2023, which Cloudflare had not rotated. The oversight allowed the threat actor to use one access token and three service account credentials to gain and maintain access.

Following the breach, Cloudflare initiated a “Code Red” remediation and hardening effort. This involved a significant portion of Cloudflare’s technical staff focusing on strengthening security controls and ensuring the threat actor could no longer access the environment. Measures included rotating over 5,000 production credentials, physically segmenting systems, and conducting forensic triages on nearly 5,000 systems.

CrowdStrike’s independent assessment confirmed Cloudflare’s findings, ensuring no ongoing threat actor presence within the systems. The investigation revealed the actor’s focus on understanding Cloudflare’s global network architecture, prompting an extensive security overhaul.

  • Target and Method: Cloudflare revealed that the attack was focused on its internal systems, specifically targeting a self-hosted Atlassian server. The attackers used sophisticated methods, indicative of a nation-state-sponsored attack.
  • Detection and Response: Cloudflare detected the unauthorized access promptly and took immediate action to mitigate the breach. The company conducted a thorough investigation, working closely with external security experts and law enforcement agencies.

Impact of the Hack

  • No Customer Data Compromised: According to Cloudflare, there was no evidence that the breach impacted customer data, Cloudflare services, global network systems, or configuration data. The company emphasized that the integrity of its customer-facing services remained intact.
  • Internal Systems Affected: The breach did allow the attackers to access some of Cloudflare’s internal systems. However, the company assured that the breach was contained and that the affected systems were isolated from those hosting customer data and services.

Cloudflare’s Response

In response to a sophisticated security breach detected on Thanksgiving Day, 2023, Cloudflare undertook a series of extensive security measures to mitigate any potential threats and safeguard its infrastructure. The incident, which saw a threat actor infiltrating Cloudflare’s Atlassian server, prompted the company to implement a comprehensive security overhaul. This included the rotation of over 5,000 production credentials, a testament to the company’s commitment to maintaining the highest security standards.

To further bolster its defenses, Cloudflare physically segmented its test and staging systems. This move was aimed at enhancing the security of its development environments, ensuring that any potential breach in these areas could not impact the production systems. Additionally, the company carried out forensic triages on 4,893 systems. This exhaustive review allowed Cloudflare to thoroughly assess and fortify its network, identifying and addressing any vulnerabilities that could be exploited by threat actors.

In an unprecedented step, Cloudflare reimaged and rebooted every machine across its global network. This action ensured that any remnants of the threat actor’s presence were eradicated, resetting the systems to a secure state. Such a decisive response highlights Cloudflare’s proactive approach to cybersecurity, ensuring the integrity and resilience of its global infrastructure.

The security incident unfolded over several days, beginning with a four-day reconnaissance period during which the threat actor accessed Cloudflare’s Atlassian Confluence and Jira portals. Utilizing sophisticated techniques, the adversary created a rogue Atlassian user account, establishing persistent access to Cloudflare’s Atlassian server. This access enabled the threat actor to infiltrate the Bitbucket source code management system, leveraging the Sliver adversary simulation framework to deepen their intrusion.

Cloudflare’s investigation revealed that as many as 120 code repositories were viewed by the attacker, with an estimated 76 of these repositories believed to have been exfiltrated. This breach raised concerns about the potential exposure of sensitive information and intellectual property. However, Cloudflare’s swift and comprehensive response, coupled with its transparent communication with customers and stakeholders, exemplifies the company’s dedication to security and trust.

The hacking attempt on Cloudflare highlights the ongoing cybersecurity threats faced by technology companies, especially from nation-state actors. Cloudflare’s proactive response and transparency serve as a model for how companies can handle security incidents. While the breach was significant, Cloudflare’s assurance that customer data and services were not compromised is a testament to the effectiveness of its security measures.