Sponsored By

Microsoft: 0ktapus Cyberattackers Evolve to 'Most Dangerous' Status

The English-speaking cyberattack group behind the MGM and Caesars Entertainment attacks is adding unique capabilities and gaining in sophistication. Prepare now, Microsoft says.

a blue octopus under the sea
Source: Jerome Moreaux via Alamy Stock Photo

"One of the most dangerous financial criminal groups" — and growing in sophistication. That is Microsoft's assessment of the 0ktapus cyberattack collective, which was most recently in the news for carrying out the strikingly disruptive MGM and Caesars Entertainment ransomware hits.

The English-speaking group (aka Scatter Swine, UNC3944 or, as Microsoft calls it, "Octo Tempest") typically engages in adversary-in-the-middle (AitM) techniques, social engineering involving calling up targets directly, and SIM swapping. It's been known to carry out cryptocurrency theft, data-leak extortion, and ransomware attacks (it became a BlackCat/ALPHV affiliate in mid-2023). Aside from the casino/hospitality wins in September, it previously made a name for itself by specializing in successfully compromising Okta credentials in a spate of attacks, including the widespread Twilio leak last August.

The threat has been evolving in recent campaigns, according to a detailed Microsoft analysis this week, and it exhibits a notable level of sophistication for which organizations need to actively prepare.

"We observed Octo Tempest leverage a diverse array of tactics to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data," according to the report, which delves into the granular details of 0ktapus' arsenal. "Octo Tempest leverages tradecraft that many organizations don't have in their typical threat models. The well-organized, prolific nature of Octo Tempest's attacks is indicative of extensive technical depth and multiple hands-on-keyboard operators."

0ktapus' Unique Technique

For instance, 0ktapus has recently turned to a unique technique using the data movement platform Azure Data Factory and automated development pipelines, Microsoft warned; the goal appears to be data exfiltration via attacker-controlled Secure File Transfer Protocol (SFTP) servers, looking to hide amid a victim's legitimate big data operations.

"Additionally, the threat actor commonly registers legitimate Microsoft 365 backup solutions such as Veeam, AFI Backup, and CommVault to export the contents of SharePoint document libraries and expedite data exfiltration," according to Microsoft.

Roger Grimes, data-driven defense evangelist at KnowBe4, noted that 0ktapus's large spectrum of possible attacks and motives creates challenges for organizations. 

"Every organization must create its best defense-in-depth cyber defense plan using the best combination of policies, technical defenses, and education, to best mitigate the risk of these attacks," he said in an emailed statement. "The methods and sophistication of these attacks must be shared to employees. They need lots of examples. Employees need to be able to recognize the various cyberattack methods and be taught how to recognize, mitigate, and appropriately report them."

He added, "we know that 50% to 90% involve social engineering and 20% to 40% involve unpatched software and firmware, so whatever an organization can do to best fight those two attack methods is where they should likely start."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights