Hacker typing on keyboard showing cybercriminals and social engineering

Microsoft: “Octo Tempest” Represents New Breed of Cybercriminals Making Use of Social Engineering and Threats

The name comes straight out of a video game, but “Octo Tempest” is a serious and emerging threat that is noteworthy for seemingly being based in the US or EU and managing to forge ties with primarily Russian ransomware service providers that previously refused to work with cybercriminals from English-speaking countries.

Microsoft documents this group, which has previously been labeled as “0ktapus” or “Scattered Spider” by other security outfits, in a new report that highlights its known techniques and tools. The cybercriminals drew their name from a significant campaign of social engineering against Okta logins, but are also responsible for the recent hacks of Caesars and MGM as well as strikes in 2022 against Mailchimp and Twilio.

Native English-speaking cybercriminals lead with sophisticated targeting of help and support desks

The millions and millions of dollars flowing through the ransomware ecosystem in recent years has no doubt caught the eye of would-be Western cybercriminals, but there have been some traditional barriers that keep any but a relatively tiny handful from breaking through. One is a ransomware tool and service ecosystem dominated almost entirely by Russians, which has typically frozen out English-speaking nations. Another is the threat of law enforcement action; Russian threat groups operate with impunity because the government largely doesn’t care so long as they leave domestic targets alone, while the US and EU countries will aggressively follow up on all manner of illegal hacking (and the most lucrative targets are within their jurisdictions).

Octo Tempest is a new breed of cybercriminals that not only does not care about domestic law enforcement, but also appears to have been able to forge relationships with Russian groups. The group leverages their fluent native ability in English with an understanding of the corporate culture and structure of targets, devising convincing roles for themselves to trick employees with on phone calls.

The group was first observed operating in 2022 and has gradually stepped up from data theft, to data extortion, and now to ransomware as of this summer (becoming an affiliate of the ALPHV/BlackCat group). It is entirely financially motivated and nearly always leads with either a phishing email/message or a social engineering call. It also looks to execute SIM swap attacks, and this was in fact the first batch of actions it undertook in early 2022 that put it on the radar of security researchers (at first acting as a broker of stolen SIM-swapped phone numbers to other cybercriminals as well as targeting numbers known to hold crypto wallets for raids).

The group is thought to have started targeting larger organizations and engaging in data extortion in late 2022, whereas previously (such as with the MailChimp attack) it appeared to either be using stolen logins itself or quietly selling stolen information to private buyers. The cybercriminals apparently decided this was the most lucrative path forward, becoming an affiliate of BlackCat in mid-2023 just ahead of the newsmaking attacks on MGM and Caesars.

Microsoft now refers to the group as one of the biggest financial crime threats in the world, noting that it deploys advanced capabilities that most similar groups do not possess (such as its advanced social engineering prowess, SIM swapping and SMS phishing techniques).

Callie Guenther, Senior Manager and Cyber Threat Research at Critical Start, provides some thoughts on protecting the specific assets they are most interested in: “Defending against Octo Tempest’s financial pursuits involves a series of proactive and reactive measures. Cryptocurrencies, for instance, should be stored in offline cold wallets to minimize online exposure. Continual system updates and anti-ransomware solutions can thwart most ransomware deployments. Advanced network monitoring can detect anomalous data flows, indicative of potential data exfiltration attempts. In case of breaches or attacks, an established incident response strategy can guide immediate actions. Collaborative threat intelligence sharing with industry peers can also keep organizations abreast of emerging threats and countermeasures.

Is Octo Tempest an anomaly, or the future of cybercriminals?

Octo Tempest primarily targets help and support desk employees, whether with a fake Okta login request or a phone call pretending to be some other member of the organization that needs IT support. The cybercriminals do a lot of research to understand the internal structure and lingo of the company, and have pretended to be new hires at times to cover any confusion. They may phish their way in with lower-level employee credentials initially to obtain general internal information like remote access policies and employee onboarding steps, and then make use of this in their more targeted social engineering attacks on administrator-level accounts.

The attackers are also flexible in their social engineering techniques, deploying different approaches for different targets. However, it has also displayed alternative tactics in several other cases. At least once it has simply purchased a working set of employee credentials from other cybercriminals to get into a system, and has also simply tried to threaten an employee (via text messages) into giving up their login.

Once inside, the group configures security staff’s mailbox rules to automatically delete any emails from vendors that might warn about the intrusion. And while the group is not known for exploiting vulnerabilities or any fancy hacking to get in the front door, once it gains access it deploys a broad variety of open source tools to rifle through networks for credentials and files of interest, achieve persistence by spoofing and federating new domains, and plant reverse shells to maintain access to endpoints. One unique technique is seen in its exfiltration of stolen data, as it uses Azure Data Factory pipelines to move the files to SFTP servers it controls (in a bid to avoid tripping automated defenses).

The cybercriminals can attack both Windows and Unix/Linux environments and have been known to hone in on VMWare ESXi servers since starting its use of ransomware, which is what caused the general chaos at MGM properties. It’s not clear how the hackers won over the ALPHV group, but it may well be that a display of great enough capability (and willingness to cross lines) will now cause ransomware-as-a-service groups to consider people they would have previously excluded.

The Microsoft report provides a great deal of advice on hunting Octo Tempest through environments and locking down against them. Roger Grimes, data-driven defense evangelist at KnowBe4, adds: “These are examples of highly sophisticated attacks across the spectrum of possible attacks and motives. Every organization must create its best defense-in-depth cyber defense plan using the best combination of policies, technical defenses, and education, to best mitigate the risk of these attacks. The methods and sophistication of these attacks must be shared to employees. They need lots of examples. Employees need to be able to recognize the various cyber attack methods and be taught how to recognize, mitigate, and appropriately report them. We know that 50% to 90% involve social engineering and 20% to 40% involve unpatched software and firmware, so whatever an organization can do to best fight those two attack methods is where they should likely start.”

Melissa Bischoping, Director of Endpoint Security Research at Tanium, adds that the group makes a strong case for the adoption of zero trust: “You should always be evaluating how your tooling and security solutions can complement each other and aid your defense in depth strategy. Monitor for anomalous amounts of access to data on disk or large amounts of data being moved to an external destination. Be mindful that attackers may use services that have “legitimate” business use such as file sharing services, remote access solutions, or collaboration platforms. If you see use of these technologies in your environment that doesn’t match your expected user behavior, it’s worth investigating. Building baselines of behavior and traffic is challenging, but that visibility and understanding will greatly advance your context when exfiltration is attempted.”

“If you haven’t already been evaluating how to migrate towards a Zero Trust architecture in your organization, now is the time! Additional and ongoing measures of protection and verification, especially around your most sensitive data, should be a priority for every security and technology team. Incident response exercises and planning should thoroughly consider the scope of access user accounts may have, and how you can reduce that access, or deploy additional controls to delay or eliminate an attacker’s expanded access,” added Bischoping.