Microsoft: Octo Tempest Is One of the Most Dangerous Financial Hacking Groups

Cyber Security Threat Summary:
Researchers at Microsoft released a comprehensive profile of Octo Tempest, a native English speaker known for advanced social engineering skills. Octo Tempest primarily focuses on data extortion and ransomware attacks against various companies. This threat actor’s tactics have been continuously evolving since early 2022, with expanded targeting encompassing organizations offering cable telecommunications, email, and tech services. Furthermore, Octo Tempest has formed partnerships with the ALPHV/BlackCat ransomware group.

Recent attacks by this group have been directed at a diverse range of sectors. The threat actors initial access typically involves advanced social engineering targeting technical administrators with adequate permissions to further their attack. Octo Tempest’s approach involves extensive research into the company, allowing them to impersonate individuals convincingly with phone calls. Through these deceptive calls, the group tricks technical admins into performing actions like password resets and multi factor authentication resets. Other methods for initial access include tricking targets into installing remote monitoring and management software, phishing for logins, purchasing credentials from cybercriminals, SMS phishing, SIM-swapping, and even direct threats of violence. Once they secure sufficient access, Octo Tempest enters the reconnaissance stage, enumerating hosts and services, collecting information to abuse legitimate channels for intrusion.

Further, Octo Tempest continues to seek additional credentials to expand their reach and uses automation tools to find plaintext keys, secrets, and passwords across code repositories. They also target security personnel accounts to disable security features and products. To hide their presence on the network, Octo Tempest supresses alerts of changes and modifies mailbox rules to delete suspicious emails. They employ a variety of tools and techniques, including open-source tools, Azure virtual machines, adding MFA methods, tunneling tools, and unique data transfer techniques.

Security Officer Comments:
Octo Tempest, initially involved in SIM swaps and stealing accounts of individuals with cryptocurrency assets has evolved. In late 2022, Octo Tempest shifted its tactics to include phishing, social engineering, mass password resets for customers of breached service providers, and data theft. This year, the group broadened its targets, attacking companies across various sectors such as gaming, hospitality, retail, manufacturing, technology, and finance, along with managed service providers. Joining forces with the ALPHV/BlackCat ransomware group, Octo Tempest began using ransomware for data theft and encryption.

Suggested Correction(s):
Researchers at Microsoft have released recommendations to defend against Octo Tempest such as:

  • Align privilege in Microsoft Entra ID and Azure
  • Segment Azure landing zones
  • Implement Conditional Access policies and authentication methods
  • Develop and maintain a user education strategy
  • Use out-of-band communication channels