- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
- 세일포인트 기고 | 2025년을 맞이하며… 머신 아이덴티티의 부상이 울리는 경종
Microsoft Sounds Alarm Over English-Speaking Octo Tempest
Microsoft has described the Octo Tempest (aka Scattered Spider, 0ktapus, UNC3944) group as “one of the most dangerous financial criminal groups” operating today.
In a lengthy analysis, the tech giant explained that the financial extortion group is unusual in comprising English-speaking threat actors, even though it has collaborated with the Russian-speaking ALPHV/BlackCat ransomware operation.
“Historically, Eastern European ransomware groups refused to do business with native English-speaking criminals,” Microsoft noted.
The report claimed Octo Tempest began life in early 2022 with SIM swap attacks, which they followed with attacks on tech companies and ransomware aimed mainly at VMWare ESXi servers.
Victim organizations apparently hail from a wide variety of sectors including telcos, tech firms, natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology and financial services.
“In recent campaigns, we observed Octo Tempest leverage a diverse array of TTPs to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data,” Microsoft continued.
“Octo Tempest leverages tradecraft that many organizations don’t have in their typical threat models, such as SMS phishing, SIM swapping, and advanced social engineering techniques.”
Read more on Octo Tempest: Twilio Reveals Further Security Breach
The group benefits from “extensive technical depth and multiple hands-on-keyboard operators,” beginning attacks with sophisticated social engineering and impersonation. It researches and then targets technical administrators like support and help desk personnel, and even impersonates new hires, the report explained.
“In rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals through phone calls and texts,” it added. “These actors use personal information, such as home addresses and family names, along with physical threats to coerce victims into sharing credentials for corporate access.”
The group also has a range of discovery, credential access, lateral movement, defensive evation and persistence tactics to help in post-exploitation activity.
To assist network defenders, Microsoft listed a range of defensive and threat hunting strategies in its report.
Octo Tempest has been linked previously to big-name breaches including MGM International, Caesars Entertainment, Okta and Twilio.