Global cybersecurity leader, Group-IB, has discovers that 9,931 thousand accounts from over 130 organisations were under compromise. It was because of a massive phishing attack campaign called “0ktapus”. The campaign has been active since March 2022 and affected several organisations, primarily those in the US. The victims mainly used Okta’s Identity and Access Management services. Group-IB’s Threat Intelligence team identified and analysed the attackers’ phishing infrastructure. It includes phishing domains, the phishing kit and a Telegram channel used to drop compromised information. The team also shared its findings on the alleged identity of the threat actor with international law enforcement agencies.

Phishing attackers’ techniques

The attackers’ primary goal was to obtain Okta identity credentials and two-factor authentication codes from users for phishing attack. They achieve this by sending phishing texts to users that contained links to phishing sites. This was like to be Okta authentication pages from the targeted organisations. While it is still unknown how the fraudsters prepared their target list. Also how they obtained the phone numbers. Group-IB believes that the threat actors started their attacks by targeting mobile operators and telecommunications companies.

According to the cybersecurity firm, the attackers successfully compromised 169 unique phishing domains and used keywords like “SSO“, ”VPN“, “OKTA”, ”MFA“, and ”HELP”. Group-IB researchers discovered that the phishing sites were created using a new phishing kit, and most of them looked similar to the legitimate authentication page that the victims are used to seeing.

The phishing kit’s code revealed that the threat actors were also using Telegram features to configure the Telegram bot and the channel used to drop compromised data. Group-IB analysts analysed the compromised records obtained by the threat actors since March 2022 and discovered that the threat actor managed to steal 9,931 user credentials, including 3,129 records with emails, and 5,441 records with MFA codes.

The number of US-based victim companies was high, with 114 out of the 136 organisations identified by Group-IB. The rest of the companies on the list has headquarters in other countries but had US-based employees targeted in the phishing campaign. The affected firms mainly provide IT, software development, and cloud services. Group-IB researchers recommend that companies remain vigilant about the potential risks of phishing attacks.

The suspected actor of 0ktapus phishing attack

The Group-IB team retrieved details about the second administrator of the Telegram channel used to collect compromised data. The administrator’s name is “X”. The Group-IB Threat Intelligence system that monitors Telegram channels used by cybercriminals was instrumental in identifying one of the posts “X” made in 2019, which led to the administrator’s Twitter account. The same tool also revealed the name and last name of the channel administrator. It was used before the alias “X”. The Group-IB team was able to find “X”’s Twitter handle on Google. It led them to a GitHub account containing the same username and profile picture. The account also revealed that Subject X is located in North Carolina, United States.

The importance of cybersecurity in the digital age

The recent discovery of the 0ktapus phishing campaign serves as a stark reminder of the importance of cybersecurity in today’s digital age. With more and more businesses relying on cloud-based services and remote work, the potential for cyber attacks has increased significantly. Companies must take proactive measures to protect themselves and their employees from these types of attacks.

One of the most effective ways to do this is through employee education and training. Employees should be made aware of the risks of phishing attacks and how to identify them. They should also be trained on best practices for password management and two-factor authentication.

In addition to employee training, companies should also invest in advanced cybersecurity solutions. This includes threat detection and response tools, as well as security monitoring and incident response services. By taking a proactive approach to cybersecurity, companies can minimize the risk of data breaches and other cyber attacks.