Highly motivated financial cybercriminal group Octo Tempest crosses boundaries: Microsoft

Financially motivated threat actor Octo Tempest has become a growing concern for organizations across multiple industries across the globe. The cybercriminal group leverages broad social engineering campaigns to compromise organizations with the goal of financial extortion, data theft and ransomware, Microsoft said in a recent blog post which also details mechanisms to defend against its activity.

The Microsoft Incident Response and Microsoft Threat Intelligence security researchers label the threat actor as "one of the most dangerous financial criminal groups" that launches wide-ranging campaigns that prominently feature adversary-in-the-middle (AiTM) techniques, social engineering, and SIM-swapping capabilities.

The threat actor has been active since early 2022, targeting mobile telecommunications and business process outsourcing organizations for sim swapping. The group monetized their intrusions by selling SIM swaps to other criminals and performing account takeovers of high-net-worth individuals to steal their cryptocurrency.

Building on this success, they harnessed their experience and adopted an increasingly aggressive approach. According to Microsoft security researchers, from late 2022 to early 2023, Octo Tempest expanded their target to include cable telecommunications, email, and technology organizations and began monetizing intrusions by extorting victim organizations for data theft.

Further, in mid-2023, the English-speaking cybercriminal group became an affiliate of ALPHV/BlackCat - human-operated ransomware as a service (RaaS) operation - with the initial victims being extorted for data theft (with no ransomware deployment) using ALPHV Collections leak site.

By June 2023, the group started deploying ALPHV/BlackCat ransomware payloads (both Windows and Linux versions) to victims. Lately, they have focused their deployments primarily on VMWare ESXi servers. They progressively broadened the scope of industries targeted for extortion, including natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services.

In its blog post, Microsoft has outlined some general guidelines alongside robust deconfliction with legitimate users will surface their activity. Microsoft also strongly recommends practising basic security hygiene by implementing a baseline set of Conditional Access policies