According to a company blog post, the attack first accessed Cloudflare’s systems for reconnaissance from 14 to 17 November and accessed a number of systems, including the company’s “internal wiki (which uses Atlassian Confluence) and our bug database (Atlassian Jira)”.
The attackers reportedly returned days later on 20 and 21 November, likely to verify that they still had a connection.
“They then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira, gained access to our source code management system (which uses Atlassian Bitbucket), and tried, unsuccessfully, to access a console server that had access to the data centre that Cloudflare had not yet put into production in São Paulo, Brazil,” the company added.
“Analysing the wiki pages they accessed, bug database issues, and source code repositories, it appears they were looking for information about the architecture, security, and management of our global network; no doubt with an eye on gaining a deeper foothold.”
The attacker reportedly accessed the systems using an access token and a trio of service account credentials that were obtained during the Okta breach that affected Cloudflare in October 2023.