A gang of native English-speaking cyber criminals who began their careers as social engineers in support of so-called SIM swapping attacks and cryptocurrency fraud, and have since graduated to cyber extortion, is rapidly emerging as one of the most dangerous financially motivated cyber crime groups operating today, according to information on the gang released by Microsoft researchers.
The Octo Tempest operation emerged about 18 months ago and saw some success in monetising their initial intrusions by selling SIM swaps to other actors and taking over the crypto accounts of high-net-worth individuals. By early 2023, the gang had moved on to targeting larger organisations, including tech companies, stealing data and holding it to ransom.
However, it is from mid-2023 onwards that the group became even more of a live threat, when it became an affiliate of the notorious Russian-speaking ALPHV/BlackCat ransomware-as-a-service (RaaS) operation and started to leverage the ransomware crew’s dark web leak site. This, said Microsoft’s research team, was a particularly significant moment in its history.
“Historically, Eastern European ransomware groups refused to do business with native English-speaking criminals,” said Microsoft. “[But] By June 2023, Octo Tempest started deploying ALPHV/BlackCat ransomware payloads (both Windows and Linux versions) to victims and lately has focused their deployments primarily on VMWare ESXi servers.
“Octo Tempest progressively broadened the scope of industries targeted for extortion, including natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services,” said the team.
Microsoft said that Octo Tempest likely has overlap with the UNC3944 (aka Scattered Spider, 0ktapus) collective, and although Microsoft did not say this itself, given the gang’s affiliation with ALPHV/BlackCat, it is possible to assess with some degree of confidence that Octo Tempest may have some link to the September 2023 Las Vegas casino heists, and various other attacks conducted through the systems of identity and access management (IAM) specialist Okta.
There is, however, no proven link to suggest it had anything to do with still-developing series of attacks on other cyber security firms that were customers of Okta – these attacks on 1Password, BeyondTrust and Cloudflare has not been attributed to any specific threat actor at the time of writing.
Technically adept gang
Microsoft said Octo Tempest’s attacks were prolific and well-organised, demonstrating extensive technical expertise and multiple hands-on-keyboard operators doing its dirty work. It leverages a wide and growing number of tactics, techniques and procedures (TTPs).
Of these TTPs, several in particular stand out. The gang is particularly fond of social engineering attacks targeting IT support and helpdesk staffers in order to take advantage of their enhanced privilege levels. They extensively research such victims to identify and tailor attacks to their targets, using personal information to trick them, and even going so far as to mimic idiolect on phone calls to them.
In some instances, they also resort to particularly aggressive fear-mongering tactics. In screenshots shared by Microsoft, a gang member threatened one victim’s family. “If we don’t get your [redacted] login in the next 20 minutes were [sic] sending a shooter to your house,” they said. “Ur wife is gonna get shot if u don’t [sic] fold it [redacted].”
They also often escalate their privileges through traditional SIM swapping and taking over employee’s phone numbers to initiate self-service password resets, or socially engineering the helpdesk to reset admin passwords.
Once inside their victim environments, the gang performs various actions, including bulk-export of users, groups and device information and enumeration of data and resources available to the compromised user’s profile. They also enumerate data related to network architecture, employee onboarding, remote access methods, and credential policies and vaults, and seek to advance their access through multi-cloud environments, code repositories, server and backup management infrastructure among other things.
Additionally, the gang seeks to use its privileges to turn off security products and features and evade detection, and leverages publicly available security tools to establish persistence. On endpoints, to maintain persistence, they use a wide array of remote monitoring and management (RMM) tools.
The ultimate goal of all this is of course data theft, extortion and ransomware deployment using a variant of the ALPHV/BlackCat locker, and in common with most other ransomware gangs, the data it steals generally depends on what it is able to get access to.
Octo Tempest does, however, deploy a technique that has never been seen before, exploiting the Azure Data Factory platform and automated platform to exfiltrate its victims’ data to their own Secure File Transfer Protocol (SFTP) servers, by which method Microsoft believes they aim to blend in with legitimate big data operations. They have also been observed registering legitimate Microsoft 365 backup solutions, including CommVault and Veeam, to export SharePoint document libraries and expedite the exfiltration process.
Hunting Octo Tempest a challenge for defenders
Microsoft said that the gang’s use of techniques such as social engineering, living-off-the-land and its diverse array of toolsets makes hunting them particularly difficult.
However, there are a number of general guidelines that defenders can use to try to surface their activity, when combined with robust deconfliction with legitimate users. An array of more in-depth technical information on these techniques is available from Microsoft.