A large-scale phishing campaign, dubbed 0ktapus, that reeled in unsuspecting users at Cloudflare and Twilio, among others, and led to a small downstream attack against secure messaging service Signal, has been revealed to have compromised nearly 10,000 user accounts at more than 130 organisations worldwide by exploiting the brand of identity and access management (IAM) specialist Okta.
This is according to researchers at Group-IB, who have today published an analysis of the attackers’ phishing infrastructure, phishing domains, phishing kits and the Telegram comms channels they used to drop compromised information.
Singapore-based, Russia-founded Group-IB said it opened an investigation at the end of July when one of its threat intelligence customers asked it for more information on a phishing attempt targeting its employees.
The subsequent probe led its investigators to conclude that the attack, as well as those on Cloudflare and Twilio, were the result of a “simple yet very effective” phishing campaign that was “unprecedented in scale and reach” and had been ongoing since March 2022.
“While the threat actor may have been lucky in their attacks, it is far more likely that they carefully planned their phishing campaign to launch sophisticated supply chain attacks,” said Roberto Martinez, senior threat intelligence analyst at Group-IB Europe.
“It is not yet clear if the attacks were planned end-to-end in advance or whether opportunistic actions were taken at each stage. Regardless, the 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time.”
Group-IB revealed the primary goal of the threat actors had been to obtain Okta identity credentials and multifactor authentication (MFA) codes from users at the targeted organisations. Those users received SMS messages containing links to phishing sites which mimicked their organisation’s Okta authentication page.
The investigators were not able to determine how the threat actors prepared their list or targets, nor how they got their hands on the needed phone numbers, however, according to the compromised data that Group-IB was able to analyse, it appears that there may have been other attacks on mobile operators and telecoms companies to harvest data before this campaign even got underway.
Group-IB said 0ktapus used 169 unique phishing domains, incorporating keywords including “SSO”, “VPN”, “Okta”, “MFA” and “help”. These sites would have appeared almost identical to the legitimate Okta verification pages. These sites were all created using a novel phishing kit, which contained code that enabled them to configure a Telegram bot and a channel that the attackers used to drop their stolen data.
All told, 0ktapus stole a total of 9,931 unique user credentials, including 3,129 records with valid email addresses and 5,441 records with MFA codes. Since two-thirds of the records did not contain a valid corporate email, merely a username and an MFA code, the research team were only able to determine the region where the users were located, meaning not all targeted organisations could be identified.
Rustam Mirkasymov, Group-IB Europe
What can be stated with confidence is that 114 out of 136 known victim organisations were US-headquartered companies. None were based in the UK, however, approximately 97 UK-based users had their credentials compromised by 0ktapus – compared with more than 5,500 in the US. Other compromised users were spread around the world, with over 40 apiece found in Canada, Germany, India and Nigeria.
Most of the victim organisations were, like Cloudflare and Twilio, IT providers, software companies or cloud services firms. Smaller numbers of victims were also found in the telco sector, general business services and financial services, and smaller numbers still in education, retail and logistics, legal services and utilities. Group-IB said it had notified all victims it could identify.
In terms of identifying the threat actors behind 0ktapus, Group-IB was also able to retrieve some of the details of one of the administrators of its Telegram channels, and from there identified their GitHub and Twitter accounts. This individual goes by the handle X and is thought to live in North Carolina in the US, although this may not be their true location.
Rustam Mirkasymov, head of cyber threat research at Group-IB Europe, said 0ktapus’s methods were nothing special, but the effort it put into planning, and pivoting across multiple victims, made the campaign a noteworthy one.
“0ktapus shows how vulnerable modern organisations are to some basic social engineering attacks and how far-reaching the effects of such incidents can be for their partners and customers. By making our findings public we hope that more companies will be able to take preventive steps to protect their digital assets,” he said.
More information on Group-IB’s findings, including a breakdown of indicators of compromise (IoCs), is available to read here.
This is the second major incident to have involved Okta in some way in recent months, coming after the firm was caught up in a supply chain attack when the Lapsus$ cyber extortion gang compromised a third-party, Sitel, in January 2022. There is no indication that the two incidents have any connection whatsoever.
Okta had not responded to a request for comment at the time of publishing.