Cloudflare says an attacker tried to breach its global network

2 Feb 2024

Image: © MichaelVi/

Cloudflare says an attacker tried to gain ‘persistent and widespread access’ to its global network by using stolen access tokens and credentials from an Okta breach in 2023.

Cloudflare has shared details of a cyberattack on its systems, which the organisation attributed to a “nation state attacker”.

The cyberattack occurred in November 2023 and was achieved by using stolen access tokens and credentials from the Okta breach that occurred earlier in the year, according to Cloudflare’s investigation.

The IT giant claims the cyberattacker mainly conducted reconnaissance and that the goal appeared to be “obtaining persistent and widespread access to Cloudflare’s global network”. This network was connected to more than 12,000 networks in more than 300 cities by mid-June 2023, according the Cloudflare.

“We want to emphasise to our customers that no Cloudflare customer data or systems were impacted by this event,” the company said in a blogpost. “Because of our access controls, firewall rules and use of hard security keys enforced using our own zero-trust tools, the threat actor’s ability to move laterally was limited.”

The cyberattacker conducted reconnaissance and accessed the company’s internal wiki and bug database between 14 and 17 November, along with additional access detected on 20 and 21 November.

Cloudflare’s investigation claims the cyberattacker gained “persistent access” to its Atlassian server on 22 November and attempted to gain access to a console server that had access to a Cloudfare data centre in Brazil, which the company had “not yet put into production”.

The threat actor was removed from the systems on 24 November and Cloudflare said it created a project called Code Red to learn more about the attack and prevent future intrusion attempts.

“Analysing the wiki pages they accessed, bug database issues and source code repositories, it appears they were looking for information about the architecture, security and management of our global network; no doubt with an eye on gaining a deeper foothold,” the company said.

“Because of that, we decided a huge effort was needed to further harden our security protocols to prevent the threat actor from being able to get that foothold had we overlooked something from our log files.”

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.

Leigh Mc Gowran is a journalist with Silicon Republic