Thanksgiving 2023 security incident
Authors: Matthew Prince, John Graham-Cumming, Grant Bourzikas
Overview
On November 23, 2023, Cloudflare’s security team identified an unauthorized actor on their self-hosted Atlassian server. The company immediately launched an investigation, terminated the threat actor’s access, and engaged CrowdStrike for independent forensic analysis. Cloudflare emphasized that “no Cloudflare customer data or systems were impacted by this event.”
Initial Compromise and Access Pattern
The breach originated from credentials compromised during an October 2023 Okta security incident. Cloudflare failed to rotate one Moveworks service token and three service accounts from that earlier breach. The threat actor began reconnaissance on November 14, gaining access to Atlassian Jira and Confluence on November 15.
The attacker searched the wiki for terms including “remote access,” “secret,” and “token,” accessing 36 Jira tickets and 202 wiki pages while seeking information about network configuration and access controls.
Escalation and Persistence
On November 16, the threat actor created a fake Atlassian user account to maintain access. By November 22, they installed the Sliver Adversary Emulation Framework for command-and-control connectivity, enabling persistent system access.
The attacker downloaded 76 source code repositories related to backup systems, network configuration, identity management, remote access, Terraform, and Kubernetes. While unable to confirm exfiltration, Cloudflare treated them as compromised.
Detection and Response
Cloudflare’s security team detected suspicious activity at 16:00 on November 23 and deactivated the Smartsheet service account within 35 minutes. The threat actor’s user account was disabled 48 minutes later. All threat actor access terminated by November 24.
Remediation Efforts (“Code Red”)
Beginning November 27, Cloudflare launched a comprehensive “Code Red” operation involving significant technical staff:
- Rotated over 5,000 production credentials
- Performed forensic analysis on 4,893 systems
- Reimaged and rebooted every machine globally
- Returned São Paulo data center equipment to manufacturers for forensic examination
- Searched for embedded secrets, unused accounts, and potential persistence mechanisms
The immediate effort concluded January 5, with ongoing security improvements continuing.
Attack Timeline
October 18: Okta compromise resulted in credential theft
November 14-17: Reconnaissance and initial system access
November 15: Successful authentication to Atlassian services
November 16: Threat actor created user account for persistence
November 20-21: Access testing indicating potential return
November 22: Installation of Sliver framework and attempted lateral movement
November 23: Detection and access termination begins
November 24: Complete threat actor removal confirmed
Threat Actor Assessment
Cloudflare concluded the attack “was performed by a nation state attacker with the goal of obtaining persistent and widespread access” to their global network infrastructure.
Indicators of Compromise
| Indicator | Type | Description |
|---|---|---|
| 193.142.58[.]126 | IPv4 | Primary threat actor infrastructure (M247 Europe SRL, Bucharest) |
| 198.244.174[.]214 | IPv4 | Sliver C2 server (OVH SAS, London) |
| idowall[.]com | Domain | Infrastructure serving Sliver payload |
| jvm-agent | Filename | Sliver payload (SHA256: bdd1a085d651082ad567b03e5186d1d46d822bb7794157ab8cce95d850a3caaf) |
Key Conclusions
The Zero Trust architecture limited lateral movement despite initial system compromise. No evidence emerged of access to the global network, data centers, SSL keys, customer databases, Cloudflare Workers, AI models, or data storage systems including Workers KV, R2, or Quicksilver. The threat actor’s access remained restricted to the Atlassian environment and its server.