The threat group behind some of the most high profile, identity-based cyberattacks this year is also “one of the most dangerous financial criminal groups” currently in operation, Microsoft researchers said in a Wednesday report.
The group, which Microsoft identifies as Octo Tempest and other researchers identify as Oktapus, Scattered Spider and UNC3944, uses multiple forms of social engineering to gain access to organizations’ infrastructure, steal corporate data and extort victims for ransom payments, according to Microsoft Threat Intelligence.
The collection of young, native English-speaking threat actors, which was initially observed in 2022 and affiliated with the ransomware-as-a-service operation ALPHV or BlackCat in mid 2023, has claimed responsibility for major attacks against MGM Resorts, Caesars Entertainment and Clorox in the past few months.
Microsoft researchers said similar social-engineering techniques resulted in attacks against four Okta customers’ environments in late July and August.
While those attacks directly targeted Okta customers for the initial point of intrusion, a more recent string of attacks against Okta customer environments occurred when a threat actor used a stolen Okta support system administrator credential to access authentication tokens for customers, including BeyondTrust, Cloudflare and 1Password.
The report also pointed to the group’s recent focus on VMware ESXi servers, virtualization infrastructure lacking security tools which have been hit by a spree of attacks this year.
The threat actors are responsible for wide-ranging campaigns using adversary-in-the-middle techniques, social engineering and SIM swapping. Industries most recently targeted for extortion include gaming, hospitality, technology, financial services, managed service providers and manufacturing, according to Microsoft.
“The well-organized, prolific nature of Octo Tempest’s attacks is indicative of extensive technical depth and multiple hands-on-keyboard operators,” Microsoft Threat Intelligence said in the report.
Microsoft joins other threat researchers in describing the group as prevalent, highly effective, dangerous and one that sometimes resorts to physical threats against targeted organizations’ employees and their families.
“The threat actors engage in aggressive communications with victims, such as leaving threatening notes within a text file on a system, contacting executives via text messages and emails, and infiltrating communication channels being used by victims to respond to incidents,” Mandiant, a Google Cloud unit, said last month in a report on UNC3944.
“We’ve seen very young individuals break into some of the biggest organizations by leveraging these techniques that are so hard to defend against,” Mandiant Consulting CTO Charles Carmakal said during an April briefing.
“They are incredibly disruptive and aggressive,” Carmakal told Cybersecurity Dive via email last month following the MGM Resorts attack.
Research from CrowdStrike drew similar conclusions about the group’s evolving tactics, capabilities and impact earlier this year.
The Cybersecurity and Infrastructure Security Agency declined to answer specific questions about the group and its recent high-profile attacks, but noted ransomware remains a serious issue affecting organizations of all sizes, causing real-world consequences for the public.
“The U.S. government is increasing pressure on ransomware operators, using all the tools available across the federal government, including rapid information sharing to potential victims, which has enabled them to respond, often before impacts are fully realized,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a statement.
Ransomware reporting can bolster authorities’ ability to better grasp the size and nature of attacks, according to Goldstein.
“Unfortunately, the full scope of the problem can be difficult to measure because ransomware incidents are still widely underreported, which is why it’s critically important that entities report every cyber intrusion, including ransomware incidents, to CISA or the FBI as quickly as possible,” Goldstein said.