Microsoft has described the Octo Tempest (aka Scattered Spider, 0ktapus, UNC3944) group as “one of the most dangerous financial criminal groups” operating today.
In a lengthy analysis, the tech giant explained that the financial extortion group is unusual in comprising English-speaking threat actors, even though it has collaborated with the Russian-speaking ALPHV/BlackCat ransomware operation.
“Historically, Eastern European ransomware groups refused to do business with native English-speaking criminals,” Microsoft noted.
The report claimed Octo Tempest began life in early 2022 with SIM swap attacks, which they followed with attacks on tech companies and ransomware aimed mainly at VMWare ESXi servers.
Victim organizations apparently hail from a wide variety of sectors including telcos, tech firms, natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology and financial services.
“In recent campaigns, we observed Octo Tempest leverage a diverse array of TTPs to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data,” Microsoft continued.
“Octo Tempest leverages tradecraft that many organizations don’t have in their typical threat models, such as SMS phishing, SIM swapping, and advanced social engineering techniques.”
Read more on Octo Tempest: Twilio Reveals Further Security Breach
The group benefits from “extensive technical depth and multiple hands-on-keyboard operators,” beginning attacks with sophisticated social engineering and impersonation. It researches and then targets technical administrators like support and help desk personnel, and even impersonates new hires, the report explained.
“In rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals through phone calls and texts,” it added. “These actors use personal information, such as home addresses and family names, along with physical threats to coerce victims into sharing credentials for corporate access.”
The group also has a range of discovery, credential access, lateral movement, defensive evation and persistence tactics to help in post-exploitation activity.
To assist network defenders, Microsoft listed a range of defensive and threat hunting strategies in its report.
Octo Tempest has been linked previously to big-name breaches including MGM International, Caesars Entertainment, Okta and Twilio.