0ktapus campaign: Twilio, Cloudflare, and over 130 more victims discovered by Group-IB

Group-IB, one of the global leaders in cybersecurity, has discovered that the recently disclosed phishing attacks on the employees of Twilio and Cloudflare were part of the massive phishing campaign that resulted in 9,931 thousand accounts of over 130 organizations being compromised. The campaign was codenamed 0ktapus by Group-IB researchers due to the impersonation of a popular Identity and Access Management service. The vast majority of the victims are located in the United States and many of them use Okta’s Identity and Access Management services. Group-IB Threat Intelligence team uncovered and analyzed the attackers’ phishing infrastructure, including phishing domains, the phishing kit as well as the Telegram channel controlled by the threat actors to drop compromised information. All victim organizations identified by Group-IB researchers have been notified and provided with the list of compromised accounts. The findings about the alleged identity of the threat actor have been shared with international law enforcement agencies.

By accident or design?

On July 26, 2022, the Group-IB team received a request from its Threat Intelligence customer asking for additional information on a recent phishing attempt targeting its employees. The investigation revealed that these phishing attacks as well as the incidents at Twilio and Cloudflare were links in a chain a simple yet very effective single phishing campaign unprecedented in scale and reach that has been active since at least March 2022. As Signal disclosures showed, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks.

While the threat actor may have been lucky in their attacks it is far more likely that they carefully planned their phishing campaign to launch sophisticated supply chain attacks. It is not yet clear if the attacks were planned end-to-end in advance or whether opportunistic actions were taken at each stage. Regardless, the 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time.

Roberto Martinez

Senior Threat Intelligence analyst at Group-IB, Europe.

The primary goal of the threat actors was to obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations. These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organization.

It is still unknown how fraudsters prepared their target list and how they obtained the phone numbers. However, according to the compromised data analyzed by Group-IB, the threat actors started their attacks by targeting mobile operators and telecommunications companies and could have collected the numbers from those initial attacks.

The big score

Group-IB researchers discovered 169 unique phishing domains involved in the 0ktapus campaign. The domains used keywords like “SSO“, ”VPN“, “OKTA”, ”MFA“, and ”HELP”. From the victim’s point of view, the phishing site looks convincing as they are very similar to the legitimate authentication page they are used to seeing.

When analyzing the phishing sites, Group-IB specialists found they have been created using the same phishing kit that they have not seen yet in the past. Further examination of the phishing kit’s code showed the lines dedicated to the configuration of the Telegram bot and the channel used by the attackers to drop compromised data.

Using its Threat Intelligence system, Group-IB researchers were able to analyze the compromised records obtained by the threat actors since March 2022.

The Group-IB team found that the threat actor managed to steal 9,931 user credentials, including 3,129 records with emails, and 5,441 records with MFA codes. Because two-thirds of the data didn’t contain a corporate email, but only usernames and 2FA codes, Group-IB researchers could only identify the region of residence of the victims.

Out of 136 victim organizations that Group-IB was able to identify, 114 companies are in the USA. That list also includes companies that are headquartered in other countries but have US-based employees that were targeted. Most companies on the victims’ list are providing IT, software development, and cloud services.

Based on recent news about hijacked Signal accounts, cybercriminals may try to get access to private conversations and data. Such information can be resold to the victim’s competitors or could simply be used to ransom a victim.

The Subject X

The Telegram features allow getting some information about the channel used by the phishing kit to collect compromised data, such as its name and the users administering it.

The Group-IB team was able to retrieve some details about the second administrator of the Telegram channel in question who goes by the nickname “X”.

Thanks to the Group-IB Threat Intelligence system that monitors Telegram channels used by cybercriminals, the Group-IB researchers were able to identify one of the posts that “X” made in 2019 that led Group-IB to his Twitter account. The same tool also revealed the name and last name the administrator of the channel was using, before adopting the name “X“. Looking up the Twitter handle on Google gives back a GitHub account containing the same username and profile picture. This account also suggests the location of Subject X is North Carolina, United States.

The methods used by this threat actor are not special, but the planning and how it pivoted from one company to another makes the campaign worth looking into. 0ktapus shows how vulnerable modern organizations are to some basic social engineering attacks and how far-reaching the effects of such incidents can be for their partners and customers. By making our findings public we hope that more companies will be able to take preventive steps to protect their digital assets.

Rustam Mirkasymov

Head of Cyber Threat Research at Group-IB Europe

Group-IB Threat Intelligence team has prepared a detailed technical blog post with a list of the indicators of compromise, more insights into the investigation, as well as some recommendations to mitigate such attacks.

About Group-IB

Founded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the company’s DNA, shaping its technological capabilities to defend businesses, citizens, and support law enforcement operations.

Group-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central Asia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific threats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime prevention and continually expand its threat-hunting capabilities.

Group-IB’s decentralized and autonomous operational structure helps it offer tailored, comprehensive support services with a high level of expertise. We map and mitigate adversaries’ tactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and requirements of various industries, including retail, healthcare, gambling, financial services, manufacturing, crypto, and more.

The company’s global security leaders work in synergy with some of the industry’s most advanced technologies to offer detection and response capabilities that eliminate cyber disruptions agilely.

Group-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted cyber environment by utilizing intelligence-driven technology and agile expertise that completely detects and defends against all nuances of digital crime. The platform proactively protects organizations’ critical infrastructure from sophisticated attacks while continuously analyzing potentially dangerous behavior all over their network.

The comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete Fraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed Extended Detection and Response (XDR), All-infrastructure Business Email Protection, and External Attack Surface Management.

Furthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently elevated industry standards. This includes the 77,000+ hours of cybersecurity incident response completed by our sector-leading DFIR Laboratory, more than 1,400 successful investigations completed by the High-Tech Crime Investigations Department, and round-the-clock efforts of CERT-GIB.

Time and again, its solutions and services have been revered by leading advisory and analyst agencies such as Aite Novarica, Gartner®, Forrester, Frost & Sullivan, KuppingerCole Analysts AG, and more.

Being an active partner in global investigations, Group-IB collaborates with international law enforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer cyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.