Octo Tempest's Advanced Social Engineering Drives Monetary Goals

Category: Threat Actor Activity | Industries: Financial, Technology, Telecommunications | Source: Microsoft

A financially motivated threat actor, armed with sophisticated social engineering capabilities, is detailed in Microsoft's latest research report. The threat group tracked as Octo Tempest, is assessed to be affiliated with the ALPHV/Blackcat ransomware gang, in addition to having overlaps with threat activity attributed to 0ktapus, Scattered Spider, and UNC3944. Octo Tempest is considered one of the "most dangerous financial criminal groups," known for its broad use of social engineering, adversary-in-the-middle techniques, and SIM-swapping capabilities. Their activities have evolved from initial tracking in early 2022 targeting mobile telecommunications and business process outsourcing organizations to a wider range of industries, including technology, financial services, and more.

During their social engineering campaigns to obtain initial access, Octo Tempest actors conduct research to understand the targeted organization’s structure and personnel. They will engage with "technical administrators, such as support and help desk personnel" to gain initial access by resetting passwords or resetting multi-factor authentication (MFA). Conversely for easy access, Microsoft observed Octo Tempest "impersonating newly hired employees in these attempts to blend into normal on-hire processes." Alternatively, Octo Tempest is capable of obtaining initial access through compromised credentials purchased from underground markets, utilizing SIM swapping, contacting and convincing an employee to install remote access software, or visiting fraudulent login portals. In more aggressive but rare instances, Microsoft reports Octo Tempest resorting "to fear-mongering tactics, targeting specific individuals through phone calls and texts. These actors use personal information, such as home addresses and family names, along with physical threats to coerce victims into sharing credentials for corporate access."

Once access has been obtained, the attackers scour for data, running "broad searches across knowledge repositories to identify documents related to network architecture, employee onboarding, remote access methods, password policies, and credential vaults." After the attackers have conducted a thorough review of the network and data, they utilize the data gathered pivoting to fulfill privilege escalation and persistence objectives. Also, with an understanding of the network, Octo Tempest has disabled security monitoring or defenses to evade detection. They target security personnel in an effort to manipulate security monitoring tools and EDR into permitting the download of their desired tools. Additionally, they disable notifications by setting up inbox rules to "automatically delete emails from vendors." Depending on the attack, their intrusion culminates with cryptocurrency theft, data exfiltration, and/or, ransomware deployment. Octo Tempest's affiliation with ALPHV/BlackCat enables the group to deploy ransomware on Windows, Linux, or VMWare ESXi servers and leverage the ransomware gang's data leak site for extortion.