Microsoft, in a recent threat intelligence report, has provided an overview of Octo Tempest, one of the most formidable and rapidly growing cybercrime syndicates. The group, native English-speaking and known to others as “Scattered Spider”, has showcased striking sophistication and a wide array of skill sets, surpassing most other cyber-crime organizations.
Key capabilities at its disposal include SMS phishing, SIM swapping, and advanced social engineering. Such tactics and proficiency possibly influenced prominent ransomware outfit ALPHV/BlackCat to incorporate Octo Tempest into its affiliate program. Notably, the association with a suspect Russian outfit goes against traditional Eastern European ransomware affiliations' avoidance of English-speaking cohorts.
Octo Tempest's Evolution and Apparent Strategy
Octo Tempest, operational from late 2022, initially focused on MNOs (mobile network operators) and business process outsourcing organizations, employing tactics such as extorting data without deploying encryption payloads. However, the group has since evolved its strategies, carrying out full-scale ransomware attacks primarily focused on exploiting VMware ESXi Servers. The group's tactics and extensive targeting of these servers might have tied them to the MGM Resorts cyber breach.
Their modus operandi has changed significantly since early 2022, so much that Microsoft has categorized their evolution into three phases. Phase one, during early to late 2022, predominantly involved using SIM swapping to target mobile network operators (MNOs) and business process outsourcing organizations. These breaches were then sold to others intending to do account takeovers and steal cryptocurrency.
In phase two, a wider net was cast to also target email and tech service providers along with telecom companies, while also embarking on data extortion attacks to increase monetization. The third phase witnessed a shift to ransomware, diversifying targets across a vast range of industries namely gaming, hospitality, retail, manufacturing, natural resources, financial services, and tech.
Employing a Variety of Attack Techniques
Octo Tempest presents a significant threat due to a diversified, highly-organized, and informed attack portfolio. The group has shown consistent success in persuading employees to download genuine remote monitoring tools then later misused for initiating attacks. Extreme measures have also been adopted, such as sending threatening SMS messages to coerce victims into providing their corporate credentials.
To evade detection, the group reportedly conducts extensive research on their targets, interpreting company jargon and lingo to mimic victims and appear more convincing, often impersonating new employees to infiltrate company systems legitimately. This extends to executing MFA changes and resetting employee passwords, even through SIM-swapping attacks.
Upon breaching the targeted organizations, Octo Tempest engages in discovery missions to gather as much accessible information as possible. This could range from learning about employee onboarding processes, to understanding password policies, and remote access methods.
In its report, Microsoft recommends organizations to stay vigilant for tooling as a sign of an Octo Tempest attack, such as PingCastle and ADRecon, which are used by the group for retrieving information about an organization's Active Directory. Furthermore, it urged organizations to consider implementing out-of-band channels as a potential precaution, as the group has compromised widely-used platforms including Slack, Teams, and Zoom to extract response plans and utilize in its extortion efforts.