Tentacles of ‘Oktapus’ Threat Group Victimize 130 Firms

Oktapus Threat

Pointers at Glance

  • Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that compromised 9,931 accounts at over 130 firms.
  • The campaigns are tied to focused abuse of identity and access management firm Okta, which gained the threat actors the Oktapus moniker by researchers.

In a recent report, Group-IB researchers wrote that the main goal of the threat actors was to obtain Okta identity credentials and multi-factor authentication (MFA) codes from users of the targeted organizations. These users got text messages containing links to phishing sites that copied the Okta authentication page of their organization.

Impacted were 114 US-based firms, with additional victims, sprinkled across 68 additional countries.

Roberto Martinez, a senior threat intelligence analyst at Group-IB, said the scope of the attacks is still unknown. He said the Oktapus campaign has been incredibly successful, and the full scale of it may not be known for some time.

What The Oktapus Hackers Wanted

The Oktapus attackers are trusted to have begun their campaign by targeting telecommunications companies in hopes of winning access to potential targets’ phone numbers.

While it was unclear exactly how threat actors obtained a list of phone numbers used in MFA-related attacks, one theory researchers posit is that Oktapus attackers began their campaign focusing on telecommunications companies.

Researchers wrote that according to the compromised data analyzed by Group-IB, the threat actors started their attacks by targeting telecommunications companies and mobile operators and could have gathered the numbers from those initial attacks.

Next, attackers sent phishing links to targets through text messages. Those links led to web pages mimicking the Okta authentication page used by the target’s employer. Victims were then asked to submit Okta identity credentials in addition to multi-factor authentication (MFA) codes employees used to secure their logins.

Also Read: Alon Mantsur Providing Exceptional Cybersecurity Defence with Cybrella

Skip to content