Businessman typing on keyboard laptop computer and holding smartphone showing Okta phishing campaign

Twilio Hackers Behind Okta Phishing Campaign That Breached Over 130 Organizations

The breach of phone number verification service Twilio, which made news for compromising a small amount of Signal phone numbers, has been traced to the same group that has been on a spree of stealing Okta identity credentials and 2FA codes since March. The phishing campaign has hit some 130 companies thus far including MailChimp and DigitalOcean among others.

Investigating firm Group-IB has found that the attackers, who remain unidentified (at least to the general public), have been extremely active during this period. Their attempts span the world, though they have a particular focus on companies in the United States. It seems they have made an effort to hack nearly every company of note based in the country: most of the major phone carriers and online gaming services, assorted cryptocurrency platforms, technology companies and retail chain stores, though fortunately the majority of these attempts have been unsuccessful.

Okta phishing campaign focuses on employee VPN credentials

Group-IB says that it has more detailed information on the phishing campaign perpetrators that it is keeping from the public at this point, but has shared with law enforcement. For now, they are referred to only as “0ktapus” and are known to be in possession of 169 unique domains that they use for phishing.

As the moniker indicates, the attackers focus on obtaining Okta identity credentials and 2FA codes. Okta is a third party access control service that has been in business since 2009 and is widely used by business clients. Group-IB describes the phishing campaign as “low skill” but successful due to meticulous planning with a rapid pivot to supply chain attacks once an employee account is compromised.

Part of this information comes from Cloudflare, which is one of the companies that successfully fended off the phishing campaign. The attackers send employees of Okta clients a spoofed text message that asks them to verify login credentials, linking them to a phishing page mocked up to look like the legitimate Okta login portal belonging to their organization.

Group-IB says that the phishing campaign is tied together by the use of shared images, fonts and scripts in different attempts, all of which lead back to one of the 169 domains registered by the hackers. The domain names tended to include elements such as “vpn,” “okta” or “sso” in a bid to appear legitimate to the casual observer. If the victim did not notice anything amiss with the phishing text message or domain name, they may well have been taken in by the campaign as the attackers reportedly did a detailed job in making copies of each organization’s login portal.

In the roughly five months that the phishing campaign has been active, it has racked up 9,931 login credentials from about 130 organizations. 5,541 included MFA codes, and 3,120 included the victim’s email account.

Details on hackers remain thin, but motivation appears to be financial

Given the relatively low-skill nature of the phishing campaign and the information the perpetrators have targeted, it appears to be a criminal group rather than an espionage campaign. Group-IB says that the attackers are focused on cash, proprietary and insider company information, and cryptocurrency accounts. For example, when Mailchimp and marketing firm Klaviyo were breached the attackers went straight after crypto companies and related accounts.

Group-IB is holding back some information that has been provided to law enforcement, but it did report that it traced the phishing campaign back to a Telegram channel run by a user named “X” who lists themselves as a “22 year old software developer.” The channel administrator’s last name and photo was apparently obtained from a Twitter account that was referenced in a post, and that this person is located in North Carolina.

Okta was compromised in a separate supply chain attack earlier this year, but the culprits in that case were identified as North Korea’s state-backed Lazarus hacking group. While Lazarus has been known to hack for profit, at the moment it would appear that this phishing campaign is the work of a different group that is not as advanced. There is also no known connection to the March 2021 breach of Okta, in which attackers were able to gain access through known vulnerabilities in the company’s Verkada security cameras.

CloudFlare was able to avoid compromise of the internal network, but the company did report that the phishing campaign ensnared several of its employees. The attacker was able to get no further due to the company’s system of physical MFA security keys, however, which are issued to every employee and necessary to access any internal application. Patrick Harr, CEO at SlashNext, has some additional suggestions: “We are hearing from security professionals an increased concern over smishing and mobile attacks before these high-profile breaches. Now with these attacks, it should be a wake call to all organizations to implement proactive AI and behavioral learning security controls in place to stop these types of attacks before employees are compromised.”

Monnia Deng, Director of Product Marketing at Bolster, suggests that the simple addition of a push notification could preclude this route of attack: “There is another critical component to this attack that is interesting which is the attackers also spoofed the OTP page to steal both the login and the 2FA. Organizations should move past OTP as their multi-factor authentication method and opt for something more secure: such as a push notification. The reason why most organizations have not implemented push MFA as their method of choice is because it is difficult to enforce every user to download an application on their device. Therefore, a good method is to also submit 2FA pages, whether rebranded in the corporate style or through the actual 2FA vendor itself, as assets for a real-time digital risk vendor to scan the internet for any signs of spoofing. These assets – both the corporate domains as well as any affiliate domains such as 2FA vendors – should be tracked together.”