The threat actor known as Scattered Spider, which has gained notoriety for its financially motivated hacking operations, has expanded its tactics from SIM swaps to ransomware. Microsoft, which disclosed this group’s activities, has characterized it as one of the most dangerous financial criminal organizations, highlighting its operational flexibility and use of SMS phishing, SIM swapping, and help desk fraud as part of its attack strategy.
Furthermore, this adversary, referred to as “Octo Tempest” by Microsoft, is a financially motivated collective of native English-speaking threat actors. Octo Tempest is known for its wide-ranging campaigns, featuring adversary-in-the-middle (AiTM) techniques, social engineering, and SIM swapping capabilities.
One of the key aspects of Octo Tempest’s approach involves targeting support and help desk personnel through social engineering attacks, enabling them to gain initial access to privileged accounts. This often includes tricking employees into resetting victims’ passwords and multi-factor authentication methods. The group employs various methods, such as purchasing employee credentials from criminal underground markets, using AiTM phishing toolkits to lure users to fake login portals, or convincing users to remove their FIDO2 tokens.
Initially, Octo Tempest targeted mobile telecommunication providers and business process outsourcing organizations, mainly focusing on SIM swaps. Later, they diversified their targeting, expanding to email and tech service providers, gaming, hospitality, retail, and more, and even becoming an affiliate of the BlackCat ransomware gang to extort victims.
In a significant shift, Octo Tempest has transitioned from simply performing SIM swaps to more sophisticated operations, including extortion, data theft, and ransomware deployment. They have been known to resort to physical threats and employ fear-mongering tactics to obtain corporate access credentials. Octo Tempest’s attacks are characterized by their reconnaissance activities, privilege escalation through stolen password policy procedures, and tampering with security staff mailbox rules to delete emails from vendors.
Their extensive technical expertise is evident in their use of a wide array of tools and tactics, such as compromising VMware ESXi infrastructure and launching Python scripts against virtual machines. Microsoft’s warning serves as a reminder of the evolving and increasingly dangerous landscape of financial cybercriminal activities.