Microsoft profiles new risk group with uncommon however efficient practices

Photo of author

By Calvin S. Nelson

Enlarge / This isn’t what a hacker seems like. Besides on hacker cosplay night time.

Microsoft has been monitoring a risk group that stands out for its means to money in from information theft hacks that use broad social engineering assaults, painstaking analysis, and occasional bodily threats.

In contrast to many ransomware assault teams, Octo Tempest, as Microsoft has named the group, doesn’t encrypt information after gaining unlawful entry to it. As an alternative, the risk actor threatens to share the information publicly except the sufferer pays a hefty ransom. To defeat targets’ defenses, the group resorts to a bunch of methods, which, apart from social engineering, consists of SIM swaps, SMS phishing, and stay voice calls. Over time, the group has grown more and more aggressive, at occasions resorting to threats of bodily violence if a goal doesn’t adjust to directions to show over credentials.

“In uncommon cases, Octo Tempest resorts to fear-mongering ways, focusing on particular people by cellphone calls and texts,” Microsoft researchers wrote in a publish on Wednesday. “These actors use private info, similar to dwelling addresses and household names, together with bodily threats to coerce victims into sharing credentials for company entry.”

Threats sent by Octo Tempest to targets.
Enlarge / Threats despatched by Octo Tempest to targets.


Octo Tempest first got here to note early final yr because it used SIM swaps to ensnare firms that present cellular telecommunications processing providers to different firms. The group would then promote the unauthorized entry it gained by these swaps to different crime teams or use them to carry out account takeovers of high-net-worth people to steal their cryptocurrency. By the tip of the yr, the group had broadened its methods and expanded its targets to incorporate cable telecommunications, e mail, and know-how organizations. Round this time, it started extorting victims whose information it had stolen, typically resorting to bodily threats.

Earlier this yr, the native-English-speaking group turned an affiliate of the ALPHV/BlackCat ransom-as-a-service operation. That made the group stand out since Japanese European ransomware crime syndicates not often settle for English-speaking members. Octo Tempest’s ALPHV/BlackCat ransomware assaults goal each Home windows and Linux variations techniques, usually after they run on VMWare ESXi servers. Targets usually are in industries together with pure sources, gaming, hospitality, shopper merchandise, retail, managed service suppliers, manufacturing, regulation, know-how, and monetary providers.

The evolution of Octo Tempest’s targeting, actions, outcomes, and monetization.
Enlarge / The evolution of Octo Tempest’s focusing on, actions, outcomes, and monetization.


“In latest campaigns, we noticed Octo Tempest leverage a various array of TTPs to navigate complicated hybrid environments, exfiltrate delicate information, and encrypt information,” Microsoft wrote. “Octo Tempest leverages tradecraft that many organizations don’t have of their typical risk fashions, similar to SMS phishing, SIM swapping, and superior social engineering methods.”

The researchers continued:

Octo Tempest generally launches social engineering assaults focusing on technical directors, similar to assist and assist desk personnel, who’ve permissions that would allow the risk actor to achieve preliminary entry to accounts. The risk actor performs analysis on the group and identifies targets to successfully impersonate victims, mimicking idiolect on cellphone calls and understanding private identifiable info to trick technical directors into performing password resets and resetting multifactor authentication (MFA) strategies. Octo Tempest has additionally been noticed impersonating newly employed workers in these makes an attempt to mix into regular on-hire processes.

Octo Tempest primarily positive factors preliminary entry to a company utilizing certainly one of a number of strategies:

  • Social engineering
    • Calling an worker and socially engineering the consumer to both:
      • Set up a Distant Monitoring and Administration (RMM) utility
      • Navigate to a web site configured with a faux login portal utilizing an adversary-in-the-middle toolkit
      • Take away their FIDO2 token
    • Calling a company’s assist desk and socially engineering the assistance desk to reset the consumer’s password and/or change/add a multi-factor authentication token/issue
  • Buying an worker’s credentials and/or session token(s) on a felony underground market
  • SMS phishing worker cellphone numbers with a hyperlink to a web site configured with a faux login portal utilizing an adversary-in-the-middle toolkit
  • Utilizing the worker’s pre-existing entry to cellular telecommunications and enterprise course of outsourcing organizations to provoke a SIM swap or to arrange name quantity forwarding on an worker’s cellphone quantity. Octo Tempest will provoke a self-service password reset of the consumer’s account as soon as they’ve gained management of the worker’s cellphone quantity.

Extra tradecraft consists of:

  • PingCastle and ADRecon to carry out reconnaissance of Energetic Listing
  • Superior IP Scanner to probe sufferer networks
  • Govmomi Go library to enumerate vCenter APIs
  • PureStorage FlashArray PowerShell module to enumerate storage arrays
  • AAD bulk downloads of customers, teams, and gadgets.

Octo Tempest techniques, tactics and procedures.
Enlarge / Octo Tempest methods, ways and procedures.


Microsoft’s publish accommodates varied different particulars, together with defenses organizations can undertake to repel the assaults. Defenses embody utilizing out-of-band communications when interacting with co-workers, educating workers, and implementing FIDO-compliant multifactor authentication.

Leave a Comment