Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms

Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms Author: Nate Nelson August 29, 2022 10:56 am minute read Share this article: Over 130 companies tangled in sprawling phishing campaign that spoofed a multi-factor authentication system. Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organizations being compromised. The campaigns are tied to focused abuse of identity and access management firm Okta, which gained the threat actors the 0ktapus moniker, by researchers. “The primary goal of the threat actors was to obtain Okta identity credentials and multi-factor authentication (MFA) codes from users of the targeted organizations,” wrote Group-IB researchers in a recent report . “These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organization.” Impacted were 114 US-based firms, with additional victims of sprinkled across 68 additional countries. Roberto Martinez, senior threat intelligence analyst at Group-IB, said the scope of the attacks is still an unknown. “The 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time,” he said. What the 0ktapus Hackers Wanted The 0ktapus attackers are believed to have begun their campaign by targeting telecommunications companies in hopes of winning access to potential targets’ phone numbers. While unsure exactly how threat actors obtained a list of phone numbers used in MFA-related attacks, one theory researchers posit is that 0ktapus attackers began their campaign targeting telecommunications companies. “[A]ccording to the compromised data analyzed by Group-IB, the threat actors started their attacks by targeting mobile operators and telecommunications companies and could have collected the numbers from those initial attacks,” researchers wrote. Next, attac