Microsoft has described the Octo Tempest group (aka Scattered Spider, 0ktapus, UNC3944) as “one of the most dangerous financial crime groups” operating today.
In a lengthy analysis, the tech giant explained that the financial extortion group has the distinction of including English-speaking threat actors, even though it collaborated with the Russian-speaking ALPHV/BlackCat ransomware operation.
“Historically, Eastern European ransomware groups have refused to do business with English-speaking criminals,” Microsoft noted.
The report claims that Octo Tempest began life in early 2022 with SIM swap attacks, followed by attacks on technology companies and ransomware primarily targeting VMWare ESXi servers.
Victim organizations apparently come from a wide variety of industries, including telecommunications carriers, technology companies, natural resources, gaming, hospitality, consumer products, retail, managed service providers , manufacturing, law, technology and financial services.
“During recent campaigns, we observed Octo Tempest leveraging a wide range of TTPs to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data,” Microsoft continued.
“Octo Tempest leverages know-how that many organizations don’t have in their typical threat models, such as SMS phishing, SIM swapping, and advanced social engineering techniques.”
Learn more about Octo Tempest: Twilio reveals new security flaw
The group boasts “great technical depth and several handy keyboard operators,” launching attacks through sophisticated social engineering and impersonation. It searches for and then targets technical administrators such as support and assistance staff, and even poses as new recruits, the report explains.
“In rare cases, Octo Tempest uses scare tactics, targeting specific individuals through phone calls and text messages,” the statement added. “These actors use personal information, such as home addresses and last names, as well as physical threats to coerce victims into sharing their credentials to gain access to the business. »
The group also has a range of discovery, credential access, lateral movement, defensive avoidance and persistence tactics to facilitate post-exploitation activities.
To assist network defenders, Microsoft listed a range of defensive and threat hunting strategies in its report.
Octo Tempest has previously been linked to high-profile breaches, including MGM International, Caesars Entertainment, Okta and Twilio.