Group-IB has discovered that the recently uncovered 0ktapus phishing campaign targeting Twilio and Cloudflare employees was part of the massive attack chain that resulted in 9.931.000 accounts from over 130 organizations being compromised.
The campaign was codenamed 0ktapus by researchers at Group-IB because it posed as a popular identity and access management service. The vast majority of victims are located in the United States, and many of them use Okta's identity and access management services.
Group-IB Threat Intelligence team discovered and analyzed the attackers' phishing infrastructure, including phishing domains, the phishing kit, and the attackers-controlled Telegram channel to delete compromised information. All victim organizations identified by Group IB researchers were notified and given lists of compromised accounts. The intelligence on the suspected identity of the threat actor has been shared with international law enforcement agencies.
Continuous attack chain
On July 26, 2022, the Group IB team received a request from their Threat Intelligence client asking for additional information on a recent phishing attempt against their employees. The investigation found that these phishing attacks, along with the Twilio and Cloudflare incidents, were links in a chain. A simple but highly effective single phishing campaign of unprecedented scale and reach, active since at least March 2022. An investigation into the case of the compromised messenger signal showed that after the attackers compromised a company, they immediately launched further attacks on the supply chain.
Luck or perfect planning?
“It may be that the threat actor got very lucky in their attacks. However, it is much more likely that he planned his phishing campaign very carefully to launch sophisticated supply chain attacks. It is not yet clear whether the attacks were fully planned or whether various measures were taken at each stage. Regardless, the 0ktapus campaign has been incredibly successful and the full extent may not be known for some time." said Robert Martínez, Senior Threat Intelligence Analyst at Group-IB, Europe.
The threat actors' main goal was to obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations. These users received text messages with links to phishing sites that impersonated their organization's Okta authentication page.
Where did the launch dates for the attack come from?
It is still unknown how scammers created their target list and how they got the phone numbers. According to the compromised data analyzed by Group-IB, the threat actors started their attacks by targeting mobile operators and telecom companies. They could have captured the necessary data for further attacks.
Extremely many phishing domains
Group-IB researchers discovered 169 unique phishing domains involved in the 0ktapus campaign. The domains used keywords like "SSO", "VPN", "OKTA", "MFA" and "HELP". From the victim's point of view, the phishing pages looked convincing as they were extremely similar to the legitimate authentication pages.
Group-IB provides further information and more detailed results of the investigation on its website.
More at Group-IB.com