Octo Tempest Group Threatens Physical Violence as Social Engineering TacticOcto Tempest Group Threatens Physical Violence as Social Engineering Tactic
The financially motivated English-speaking threat actors use advanced social engineering techniques, SIM swapping, and even threats of violence to breach targets.
October 27, 2023
The financially motivated hacking group Octo Tempest, responsible for attacking MGM Resorts International and Caesars Entertainment in September, has been branded "one of the most dangerous financial criminal groups" by Microsoft's Incident Response and Threat Intelligence team.
It later shifted to extortion using stolen data, and by mid-2023 the group had partnered with ALPHV/BlackCat ransomware, initially leveraging the ALPHV Collections leak site and later deploying the ransomware, focusing on VMWare ESXi servers.
Microsoft's in-depth post about the group and its extensive range of tactics, techniques, and procedures (TTPs) details the evolution of Octo Tempest and the fluidity of its operations.
"In recent campaigns, we observed Octo Tempest leverage a diverse array of TTPs to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data," the report notes. "Octo Tempest leverages tradecraft that many organizations don't have in their typical threat models, such as SMS phishing, SIM swapping, and advanced social engineering techniques."
The Multi-Armed 0ktapus Cybercrime Playbook
The group gains initial access through advanced social advanced social engineering techniques, often targeting employees with access to network permissions, including support and help desk personnel.
The attackers call these individuals, and attempt to persuade them to reset user passwords, change or add authentication tokens, or install a remote monitoring and management (RMM) utility.
The group is not beyond leveraging personal information, such as home addresses and family names, or even making physical threats, to coerce victims into sharing corporate access credentials.
During the initial stages of the attacks, Octo Tempest conducts extensive reconnaissance, which includes gathering data on users, groups, and device information, and exploring network architecture, employee onboarding, and password policies.
The group uses tools including PingCastle and ADRecon for Active Directory reconnaissance, and the PureStorage FlashArray PowerShell SDK for enumerating storage arrays.
They reach deep into multi-cloud environments, code repositories, and server infrastructure, aiming to validate access and plan footholds for subsequent attack phases, a process that helps the group enhance their activities within targeted environments.
Partnering With Russians: Unprecedented Fusion of Tactics, Tools
Callie Guenther, senior manager of cyber threat research at Critical Start, says English-speaking Octo Tempest's affiliation with the Russian-speaking BlackCat group signifies an "unprecedented fusion" of resources, technical tools, and refined ransomware tactics.
"Historically, the distinct boundaries maintained between Eastern European and English-speaking cybercriminals provided some semblance of regional demarcation," she explains. "Now, this alliance allows Octo Tempest to operate on a wider canvas, both geographically and in terms of potential targets."
She notes that the convergence of Eastern European cyber expertise with the linguistic and cultural nuances of English-speaking affiliates enhances the localization and efficacy of their attacks.
From her perspective, the multifaceted approach Octo Tempest employs is particularly alarming.
"Beyond their technical prowess, they've mastered the art of social engineering, adapting their tactics to impersonate and blend seamlessly into targeted organizations," she says. "This, combined with their alignment with the formidable BlackCat ransomware group, amplifies their threat manifold."
She notes the real concern emerges when one realizes they've diversified from specific industries to a broader spectrum and are now unafraid to resort to outright physical threats, showcasing a concerning escalation in cybercriminal tactics.
Tony Goulding, cybersecurity evangelist at Delinea, agrees the blend of sophisticated techniques, broad scope of industries targeted, and their aggressive approach — even resorting to physical threats — are the most dangerous aspects of the group.
"Organizations should be very concerned," he explains. "Being native English speakers, they can more effectively launch wide-ranging social engineering campaigns compared to BlackCat."
He says this is particularly beneficial when using idiolect methods to convincingly impersonate employees during phone calls.
"Proficiency in English also helps them craft more convincing phishing messages for their signature SMS phishing and SIM swapping techniques," he adds.
Guenther says defending against Octo Tempest's financial pursuits involves a series of proactive and reactive measures, adhering to the principle of least privilege to ensure restricted access.
"Cryptocurrencies should be stored in offline cold wallets to minimize online exposure," she advises. "Continual system updates and anti-ransomware solutions can thwart most ransomware deployments."
Advanced network monitoring can detect anomalous data flows, indicative of potential data exfiltration attempts.
"In case of breaches or attacks, an established incident response strategy can guide immediate actions," she adds. "Collaborative threat intelligence sharing with industry peers can also keep organizations abreast of emerging threats and countermeasures."
Goulding points out education, awareness training, and technical controls that vault privileged accounts and protect access workstations and servers are key.
"Putting obstacles in the path of threat actors all along the attack chain, to divert them from their playbook and generate noise, is super important for early detection," he says. "The more advanced and proficient the attack group, the better prepared they will be, so investing in the best tools that include modern capabilities is your best bet."
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks