The same hacking group that successfully breached Twilio Inc. and attempted to breach Cloudflare Inc. earlier this month is now believed to have breached more than 130 organizations in the same phishing campaign.

As detailed today by researchers at Group-IB Global Pvt. Ltd., the phishing campaign, codenamed “0ktapus” after its impersonation of identity and access management service Okta Inc., has resulted in an estimated 9,931 breached accounts in organizations primarily in the U.S. that use Okta’s IAM services. Okta had been previously targeted by the Lapsus$ hacking group in March.

Those behind 0ktapus then used the data stolen from Okta in March to carry out subsequent supply chain attacks. Along with Twilio and Cloudflare, other companies believed to have been targeted by the 0ktapus campaign include Mailchimp and DigitalOcean Holdings Inc. The hack of Twilio also exposed data from the encrypted messaging app Signal.

Bleeping Computer reported that other victims may include T-Mobile US Inc., MetroPCS, Verizon Wireless Inc., AT&T Inc., Slack Inc., Twitter Inc., Binance Holdings Ltd., KuCoin, Coinbase Inc., Microsoft Corp., Epic Games Inc., Riot Games Inc., Evernote Corp., HubSpot Inc., TTEC Holding Inc. and Best Buy Co. Inc.

According to Group-IB, the attacker’s initial objective was to obtain Okta identity credentials and two-factor authentication codes from users of the targeted organizations. With this information, the attackers could gain unauthorized access to any enterprise resources the victims had access to.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations,” wrote Rustam Mirkasymov, head of cyber threat research at Group-IB (Europe). “Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

In an interesting twist, the Group-IB researchers were able to link at least one member of the group behind 0ktapus to a Twitter and GitHub account that suggests that the individual may be based in North Carolina.

The motivation behind the attacks remains unclear, with the researchers saying that espionage or financial gain are the two main possibilities.

“The Twilio and [attempted] Cloudflare breaches demonstrate the rise in phishing attacks to successfully harvest credentials at the start of the attack chain to perpetrate a breach,” Patrick Harr, chief executive officer of anti-phishing company SlashNext Inc., told SiliconANGLE. “These attacks were well planned and executed.”

Roger Grimes, data-driven defense evangelist at security awareness training company KnowBe4 Inc., commented that this is yet another phishing attack showing how easy it is for adversaries to bypass supposedly secure multifactor authentication. “Many cybersecurity leaders and organizations are touting the fake fact that MFA stops 99% of all hacking attacks,” he said. “It doesn’t. It never will.”

Lior Yaari, CEO of cybersecurity startup Grip Security Ltd., also noted that the attack demonstrates how fragile identity and access management are. “The industry should think about removing the burden of logins and passwords from employees who are susceptible to social engineering and sophisticated phishing attacks,” Yaari said. “The best proactive remediation effort companies can make is to have users reset all their passwords, especially Okta, because the extent and cause of the breach are still unknown.”

Photo: Morten Brekkevold/Flickr