Microsoft Corp.’s Incident Response and Threat Intelligence teams are warning that the hacking group that attacked MGM Resorts International Inc. and Caesars Entertainment Inc. in September is “one of the most dangerous financial criminal groups.”

The hacks were undertaken by a hacking group Microsoft tracks as “Octo Tempest” but is also known by other security researchers as Scattered Spider and UNC3944. Octo Tempest first became active in early 2022 and uses extensive social engineering methods to target organizations worldwide, aiming for financial extortion.

The group started out targeting mobile telecommunications and business process outsourcing organizations, mainly for phone number-porting SIM swaps. By late 2022 and into early 2023, the group began to extort organizations using data stolen from them, sometimes even using physical threats as leverage.

By mid-2023, Octo Tempest joined forces with the better-known ALPHV/BlackCat ransomware as a service operation and began extorting victims using the ALPHV Collections leak site without deploying ransomware. The relationship then extended to the group deploying ALPHV/BlackCat ransomware, primarily targeting VMWare ESXi servers. Their use of ALPHV/BlackCat ransomware is why early reports on the MGM hack had the attack linked to ALPHV: Scattered Spider had deployed ALPHV/BlackCat ransomware in the attack.

To reel in victims, Octo Templest targets technical administrators using social engineering. The group impersonates victims, often mimicking their speech patterns or pretending to be newly hired employees. Their main methods for initial access include social engineering calls, purchasing employee credentials on the black market, SMS phishing and initiating SIM swaps, or setting up call forwarding on an employee’s phone. In some cases, they use intimidation by sending threats to specific individuals.

In the initial stage of their attacks, Octo Tempest undertakes extensive research, looking for data related to network infrastructure, password policies and more. They also explore cloud environments and other platforms. The group elevates their privileges through methods like initiating SIM swaps, social engineering and using stolen organizational procedures. Octo Tempest continually seeks to gather more credentials using open-source tools to identify keys and secrets.

To avoid detection, the group also compromises security personnel accounts within victim organizations to turn off security products and features. Using compromised accounts, the threat actor leverages endpoint detection and response and device management technologies to allow malicious tooling, deploy remote monitoring and management software, remove or impair security products, data theft of sensitive files and deploy malicious payloads.

Tony Goulding, cybersecurity evangelist at privileged access management company Delinea Inc., told SiliconANGLE that what stands out for him as the most dangerous thing about Octo Tempest is the group’s blend of sophisticated techniques, broad scope of industries targeted and their aggressive approach.

“Being native English speakers, they can more effectively launch wide-ranging social engineering campaigns compared to BlackCat,” Goulding explained. “This is particularly beneficial when using idiolect methods to convincingly impersonate employees during phone calls. Proficiency in English also helps them craft more convincing phishing messages for their signature SMS phishing and SIM swapping techniques.”

Callie Guenther, senior manager of cyber threat research at managed detection and response company Critical Start Inc., agreed that the multifaceted approach Octo Tempest employs is particularly alarming.

“Beyond their technical prowess, they’ve mastered the art of social engineering, adapting their tactics to impersonate and blend seamlessly into targeted organizations,” Guenther wrote. “This, combined with their alignment with the formidable BlackCat ransomware group, amplifies their threat manifold. The real concern emerges when one realizes they’ve diversified from specific industries to a broader spectrum and are now unafraid to resort to outright physical threats, showcasing a concerning escalation in cybercriminal tactics.”

Image: DALL-E 3