The recent attacks on Twilio and Cloudflare were part of a coordinated phishing campaign that compromised nearly 10,000 accounts across 130 organizations, according to insights from cybersecurity firm Group-IB.
The wave of cyberattacks mimicked the well-known identity and access management firm Okta to gain leverage for its social engineering ploys, leading Group-IB researchers to nickname it 0ktapus.
And it would appear that the 0ktapus has many tentacles, launching what Group-IB calls “sophisticated supply chain attacks” using 169 phishing domains that worked off of keywords such as “SSO”, “VPN”, “OKTA”, “MFA”, and “HELP.”
“From the victim’s point of view, the phishing site looks convincing as they are very similar to the legitimate authentication page they are used to seeing,” said Group-IB, adding that it has tipped off law enforcement bodies worldwide as well as notifying targeted organizations.
The stolen data haul tracked by Group-IB came to a considerable tally. Before being exposed, 0ktapus managed to steal 9,931 user credentials, including 3,129 records with emails, and 5,441 with multifactor authentication codes. This is thought to include the recent Twilio breach that exposed hundreds of Signal users’ phone numbers, and a similar attack on Cloudflare shortly before that.
Nearly all of the victims were Okta service users based in the US, and details of the suspected attacker or attackers have been shared in confidence with the authorities. The prime purpose of the attacks appears to have been to harvest identity credentials and two-factor authentication codes used by employees at the target organizations.
What remains unclear is how the cybercriminals behind 0ktapus obtained the victims’ email addresses and telephone numbers, though IB-Group believes they could have obtained the latter by targeting telecoms firms in a separate pre-emptive campaign. Nor is it clear at the time of writing whether this campaign was sponsored by a nation-state group or purely motivated by profit.
It started off small
Group-IB says it first cottoned on to the attacks as being part of a singular and highly orchestrated campaign in July after it investigated a phishing attack on one of its clients.
“The investigation revealed that these phishing attacks, as well as the incidents at Twilio and Cloudflare, were links in a chain,” said Group-IB. “A simple yet very effective single phishing campaign unprecedented in scale and reach that has been active since at least March.”
Subsequent surveillance of private communication channel Signal showed that “once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks.”
Commenting on his team’s findings, senior threat intelligence analyst Roberto Martinez said that though showing evidence of high levels of organization, it could not be determined if the entire campaign was planned from the outset, or more the product of inspired opportunism.
“It is not yet clear if the attacks were planned end-to-end in advance or whether opportunistic actions were taken at each stage,” he said. “Regardless, the 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time.”
More from Cybernews:
Subscribe to our newsletter