Skip to content
All about technology.All about cybersecurity.

Summer assaults of notable scale traced back to the same menacing ransomware association

Financial criminals known as Octo Tempest, also referred to as Oktapus, have been identified by Microsoft researchers as among the most hazardous groups operating in the world of financial crime.

 and  Administrator
3 min read
Coordinated ransomware assaults during summertime tied to a tenacious cybercriminal organization
Coordinated ransomware assaults during summertime tied to a tenacious cybercriminal organization

Summer assaults of notable scale traced back to the same menacing ransomware association

A prolific and highly adaptable cybercriminal group, known by various names including Octo Tempest, Scattered Spider, UNC3944, Muddled Libra, and Starfraud, has been causing havoc in the cyber world since its emergence around 2022. This native English-speaking coalition, primarily composed of young hackers from the US and UK, operates in a decentralized manner through platforms like Telegram and Discord.

The group has been responsible for major attacks against a diverse range of industries, including telecoms, casinos, financial firms, airlines, retailers, insurance companies, food services, and hospitality sectors. They have demonstrated a tendency to pivot and expand their targeting scope over time.

Their tactics are not solely based on technical exploits but rather on sophisticated social engineering. They have been known to impersonate individuals to request password resets through help desks, carry out SMS phishing (mishing) and adversary-in-the-middle (AiTM) attacks mimicking legitimate organizations, and deploy DragonForce ransomware, with a particular focus on breaching VMWare ESX hypervisor environments.

Recently, the group has targeted both on-premises accounts and infrastructure before moving to cloud environments, a shift from their earlier cloud-first approach. They have been particularly active in attacking VMware ESXi servers, which are virtualization infrastructure lacking robust security tools and have been hit by a spree of attacks this year.

One of the most notable recent attacks involved a string of attacks against Okta customer environments. A threat actor used a stolen Okta support system administrator credential to access authentication tokens for customers, including BeyondTrust, Cloudflare, and 1Password.

The group is also known for their aggressive communications with victims. Mandiant's report on UNC3944 reveals that the threat actors leave threatening notes within a text file on a system, contact executives via text messages and emails, and infiltrate communication channels being used by victims to respond to incidents.

The U.S. government is increasing pressure on ransomware operators and using all the tools available across the federal government to respond to attacks, according to Eric Goldstein, executive assistant director for cybersecurity at CISA. Goldstein also emphasized the importance of entities reporting every cyber intrusion, including ransomware incidents, to CISA or the FBI as quickly as possible due to the underreporting of ransomware incidents.

The full scope of the ransomware problem can be difficult to measure due to widespread underreporting, according to CISA. The group behind these identity-based cyberattacks this year is also one of the most dangerous financial criminal groups currently in operation. They are described as incredibly disruptive and aggressive by Mandiant Consulting CTO Charles Carmakal.

The Cybersecurity and Infrastructure Security Agency (CISA) noted that ransomware remains a serious issue affecting organizations of all sizes, causing real-world consequences for the public. The FBI and CISA have warned about Scattered Spider's evolving tactics in the past. CrowdStrike's research drew similar conclusions about the group's evolving tactics, capabilities, and impact earlier this year.

Microsoft Threat Intelligence describes the group as well-organized, prolific, and indicating extensive technical depth and multiple hands-on-keyboard operators. The group has been involved in high-profile attacks across multiple industries, making them one of the most disruptive forces in the cybercrime world since their emergence.

  1. The prolific and highly adaptable cybercriminal group, known as Octo Tempest, Scattered Spider, UNC3944, Muddled Libra, and Starfraud, has been deploying DragonForce ransomware and carrying out phishing attacks, such as SMS phishing (mishing) and adversary-in-the-middle (AiTM) attacks, to breach data in various industries.
  2. The group has reportedly targeted both on-premises accounts and infrastructure before moving to cloud environments, showing a particular focus on virtualization infrastructure, like VMware ESXi servers, which are vulnerable to attacks due to lacking robust security tools.
  3. Threat actors impersonate individuals to request password resets through help desks and infiltrate communication channels used by victims to respond to incidents, marking the group's aggressive communications with victims, leaving threatening notes within a text file on a system, contacting executives via text messages and emails.
  4. Considering the wide-ranging impact of these identity-based cyberattacks in organizations of all sizes, cybersecurity experts, including Mandiant Consulting CTO Charles Carmakal, emphasize the importance of reporting cyber incidents, including ransomware attacks, to CISA or the FBI as quickly as possible.

Read also:

    Related

    Latest