The financially motivated hacking group Octo Tempest, responsible for attacking MGM Resorts International and Caesars Entertainment in September, has been branded “one of the most dangerous financial criminal groups” by Microsoft’s Incident Response and Threat Intelligence team.
The group, also known as 0ktapus, Scattered Spider, and UNC3944, has been active since early 2022, initially targeting telecom and outsourcing companies with SIM swap attacks.
It later shifted to extortion using stolen data, and by mid-2023 the group had partnered with ALPHV/BlackCat ransomware, initially leveraging the ALPHV Collections leak site and later deploying the ransomware, focusing on VMWare ESXi servers.
Microsoft’s in-depth post about the group and its extensive range of tactics, techniques, and procedures (TTPs) details the evolution of Octo Tempest and the fluidity of its operations.
“In recent campaigns, we observed Octo Tempest leverage a diverse array of TTPs to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data,” the report notes. “Octo Tempest leverages tradecraft that many organizations don’t have in their typical threat models, such as SMS phishing, SIM swapping, and advanced social engineering techniques.”
The Multi-Armed 0ktapus Cybercrime Playbook
The group gains initial access through advanced social advanced social engineering techniques, often targeting employees with access to network permissions, including support and help desk personnel.
The attackers call these individuals, and attempt to persuade them to reset user passwords, change or add authentication tokens, or install a remote monitoring and management (RMM) utility.
The group is not beyond leveraging personal information, such as home addresses and family names, or even making physical threats, to coerce victims into sharing corporate access credentials.
During the initial stages of the attacks, Octo Tempest conducts extensive reconnaissance, which includes gathering data on users, groups, and device information, and exploring network architecture, employee onboarding, and password policies.
The group uses tools including PingCastle and ADRecon for Active Directory reconnaissance, and the PureStorage FlashArray PowerShell SDK for enumerating storage arrays.
They reach deep into multi-cloud environments, code repositories, and server infrastructure, aiming to validate access and plan footholds for subsequent attack phases, a process that helps the group enhance their activities within targeted environments.
Partnering With Russians: Unprecedented Fusion of Tactics, Tools
Callie Guenther, senior manager of cyber threat research at Critical Start, says English-speaking Octo Tempest’s affiliation with the Russian-speaking BlackCat group signifies an “unprecedented fusion” of resources, technical tools, and refined ransomware tactics.
“Historically, the distinct boundaries maintained between Eastern European and English-speaking cybercriminals provided some semblance of regional demarcation,” she explains. “Now, this alliance allows Octo Tempest to operate on a wider canvas, both geographically and in terms of potential targets.”
She notes that the convergence of Eastern European cyber expertise with the linguistic and cultural nuances of English-speaking affiliates enhances the localization and efficacy of their attacks.
From her perspective, the multifaceted approach Octo Tempest employs is particularly alarming.
“Beyond their technical prowess, they’ve mastered the art of social engineering, adapting their tactics to impersonate and blend seamlessly into targeted organizations,” she says. “This, combined with their alignment with the formidable BlackCat ransomware group, amplifies their threat manifold.”
She notes the real concern emerges when one realizes they’ve diversified from specific industries to a broader spectrum and are now unafraid to resort to outright physical threats, showcasing a concerning escalation in cybercriminal tactics.
Tony Goulding, cybersecurity evangelist at Delinea, agrees the blend of sophisticated techniques, broad scope of industries targeted, and their aggressive approach — even resorting to physical threats — are the most dangerous aspects of the group.
“Organizations should be very concerned,” he explains. “Being native English speakers, they can more effectively launch wide-ranging social engineering campaigns compared to BlackCat.”
He says this is particularly beneficial when using idiolect methods to convincingly impersonate employees during phone calls.
“Proficiency in English also helps them craft more convincing phishing messages for their signature SMS phishing and SIM swapping techniques,” he adds.
Defense In-Depth
Guenther says defending against Octo Tempest’s financial pursuits involves a series of proactive and reactive measures, adhering to the principle of least privilege to ensure restricted access.
“Cryptocurrencies should be stored in offline cold wallets to minimize online exposure,” she advises. “Continual system updates and anti-ransomware solutions can thwart most ransomware deployments.”
Advanced network monitoring can detect anomalous data flows, indicative of potential data exfiltration attempts.
“In case of breaches or attacks, an established incident response strategy can guide immediate actions,” she adds. “Collaborative threat intelligence sharing with industry peers can also keep organizations abreast of emerging threats and countermeasures.”
Goulding points out education, awareness training, and technical controls that vault privileged accounts and protect access workstations and servers are key.
“Putting obstacles in the path of threat actors all along the attack chain, to divert them from their playbook and generate noise, is super important for early detection,” he says. “The more advanced and proficient the attack group, the better prepared they will be, so investing in the best tools that include modern capabilities is your best bet.”