Cyber Incident Victim: Cloudflare
Date:
Aug 2022
Location:
United States of America
Summary
Cloudflare employees were targeted in an SMS phishing campaign linked to the same threat actors responsible for the Twilio breach, with attackers stealing credentials but failing to infiltrate systems due to mandatory physical security key authentication. The phishing messages, sent from T-Mobile numbers, directed victims to a fraudulent login page mimicking Cloudflare's Okta portal, leading to automatic downloads of AnyDesk remote access software. Despite compromised credentials, multi-factor authentication prevented unauthorized access, and the company mitigated the attack by blocking malicious domains, resetting affected accounts, dismantling attacker infrastructure, enhancing detection mechanisms, and auditing service logs. The incident highlighted coordinated efforts among targeted organizations to disrupt ongoing campaigns involving rotating carriers and hosting providers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In early August 2022, Cloudflare employees were targeted in an SMS phishing campaign mirroring tactics used against Twilio. Attackers sent fraudulent messages from T-Mobile phone numbers to 76 Cloudflare employees and their family members, directing them to a cloned Cloudflare Okta login page hosted on the domain cloudflare-okta[.]com, which was registered through Porkbun—the same registrar linked to the Twilio breach infrastructure. Employees who submitted credentials inadvertently enabled the automatic download of AnyDesk remote access software, which could have granted attackers control over their devices if executed. Cloudflare confirmed individual employees fell victim to the phishing scheme, exposing their usernames and passwords. However, the company prevented system access by requiring FIDO2-compliant physical security keys for all application logins, a measure that blocked attackers despite possessing valid credentials.
Cloudflare’s response included immediate blocking of the phishing domain via Cloudflare Gateway, credential resets for impacted personnel, identification and takedown of attacker infrastructure, and enhanced detection protocols to monitor follow-up attempts. The company also audited service access logs to identify additional compromise indicators. Concurrently, Twilio disclosed a related breach where attackers successfully accessed internal systems and customer data using stolen credentials from a similar SMS phishing operation. Twilio coordinated with other targeted organizations to disrupt malicious messaging campaigns and infrastructure, though attackers persisted by rotating carriers and hosting providers. Cloudflare’s incident highlighted the effectiveness of hardware-based authentication in neutralizing credential theft, contrasting with Twilio’s outcome where supplemental security layers were insufficient to prevent unauthorized access. Both incidents underscored the persistent threat of coordinated phishing campaigns against critical infrastructure providers.