Microsoft: 0ktapus Cyberattackers Evolve to ‘Most Dangerous’ Status

Microsoft: 0ktapus Cyberattackers Evolve to 'Most Dangerous' Status

“One of the most dangerous financial criminal groups” — and growing in sophistication. That is Microsoft’s assessment of the 0ktapus cyberattack collective, which was most recently in the news for carrying out the strikingly disruptive MGM and Caesars Entertainment ransomware hits.

The English-speaking group (aka Scatter Swine, UNC3944 or, as Microsoft calls it, “Octo Tempest”) typically engages in adversary-in-the-middle (AitM) techniques, social engineering involving calling up targets directly, and SIM swapping. It’s been known to carry out cryptocurrency theft, data-leak extortion, and ransomware attacks (it became a BlackCat/ALPHV affiliate in mid-2023). Aside from the casino/hospitality wins in September, it previously made a name for itself by specializing in successfully compromising Okta credentials in a spate of attacks, including the widespread Twilio leak last August.

The threat has been evolving in recent campaigns, according to a detailed Microsoft analysis this week, and it exhibits a notable level of sophistication for which organizations need to actively prepare.

“We observed Octo Tempest leverage a diverse array of tactics to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data,” according to the report, which delves into the granular details of 0ktapus’ arsenal. “Octo Tempest leverages tradecraft that many organizations don’t have in their typical threat models. The well-organized, prolific nature of Octo Tempest’s attacks is indicative of extensive technical depth and multiple hands-on-keyboard operators.”

0ktapus’ Unique Technique

For instance, 0ktapus has recently turned to a unique technique using the data movement platform Azure Data Factory and automated development pipelines, Microsoft warned; the goal appears to be data exfiltration via attacker-controlled Secure File Transfer Protocol (SFTP) servers, looking to hide amid a victim’s legitimate big data operations.

“Additionally, the threat actor commonly registers legitimate Microsoft 365 backup solutions such as Veeam, AFI Backup, and CommVault to export the contents of SharePoint document libraries and expedite data exfiltration,” according to Microsoft.

Roger Grimes, data-driven defense evangelist at KnowBe4, noted that 0ktapus’s large spectrum of possible attacks and motives creates challenges for organizations. 

“Every organization must create its best defense-in-depth cyber defense plan using the best combination of policies, technical defenses, and education, to best mitigate the risk of these attacks,” he said in an emailed statement. “The methods and sophistication of these attacks must be shared to employees. They need lots of examples. Employees need to be able to recognize the various cyberattack methods and be taught how to recognize, mitigate, and appropriately report them.”

He added, “we know that 50% to 90% involve social engineering and 20% to 40% involve unpatched software and firmware, so whatever an organization can do to best fight those two attack methods is where they should likely start.”