Cloudflare Breach: Nation-State Hackers Access Source Code and Internal Docs

02.02.2024

Cloudflare has disclosed that it experienced a targeted cyberattack, likely orchestrated by a nation-state, between November 14 and 24, 2023. The attacker utilized stolen credentials to gain unauthorized entry into Cloudflare’s Atlassian server, leading to the compromise of certain documentation and a limited amount of source code. The objective of the sophisticated threat actor was to secure persistent and widespread access to Cloudflare’s global network, demonstrating a thoughtful and methodical approach.

As a precautionary measure, Cloudflare took significant actions, including rotating over 5,000 production credentials, physically isolating test and staging systems, conducting forensic analyses on 4,893 systems, and reimaging/rebooting all machines across its global network.

The attack unfolded over four days, involving reconnaissance to access Atlassian Confluence and Jira portals. Subsequently, the adversary created a rogue Atlassian user account, establishing persistent access to the Atlassian server. The attacker then utilized the Sliver adversary simulation framework to access Cloudflare’s Bitbucket source code management system.

During the intrusion, 120 code repositories were accessed, with an estimated 76 repositories being exfiltrated. These repositories mainly contained information about backup procedures, global network configuration and management, identity protocols at Cloudflare, remote access methods, and the company’s use of Terraform and Kubernetes. Some repositories also held encrypted secrets, which were promptly rotated despite their strong encryption.

The threat actor attempted unsuccessfully to access a console server linked to Cloudflare’s data center in São Paulo, Brazil. The attack leveraged one access token and three service account credentials associated with AWS, Atlassian Bitbucket, Moveworks, and Smartsheet, stolen during the October 2023 hack of Okta’s support case management system. Cloudflare acknowledged a failure to rotate these credentials, mistakenly assuming they were inactive.

On November 24, 2023, Cloudflare terminated all malicious connections initiated by the threat actor and engaged cybersecurity firm CrowdStrike for an independent assessment of the incident. The compromised systems were confined to the Atlassian environment, with the attacker focusing on gaining insights into the architecture, security, and management of Cloudflare’s global network through accessed wiki pages, bug database issues, and source code repositories.