Highlights:

  • Bleeping Computer said that Microsoft, Epic Games, Riot Games, Evernote, HubSpot, TTEC Holding, and Best Buy Co. Inc. might also have been affected.
  • Researchers have speculated that espionage and financial gain may be behind the attacks, but neither explanation has been definitively proven.

More than 130 businesses are suspected of falling victim to the same phishing campaign that compromised Twilio Inc. and Cloudflare Inc. earlier this month.

Group-IB Global Pvt. Ltd. researchers reported today that 9,931 accounts in enterprises were compromised predominantly in the United States that use Okta’s IAM services. The phishing effort was dubbed “0ktapus” after the impersonation of identity and access management firm Okta Inc. Before March, the Lapsus$ hacker gang had already attempted to breach Okta’s defences.

After stealing data from Okta in March, the hackers behind 0ktapus used it in subsequent supply chain attacks. Mailchimp and DigitalOcean Holdings Inc. are among the companies that may have been hit by the 0ktapus attack, along with Twilio and Cloudflare, since the encrypted texting app Signal had its data exposed in the theft of Twilio as well.

Bleeping Computer said that Microsoft Corp., Slack Inc., Epic Games Inc., Twitter Inc., Riot Games, Evernote Corp., HubSpot Inc., TTEC Holding Inc., Binance Holdings Ltd., and Best Buy Co. Inc. may also have been affected.

Group-IB claims that the attacker’s primary goal was to steal users’ Okta identity credentials and two-factor authentication codes. The attackers might use this data to access internal company systems the victims were permitted to use.

Rustam Mirkasymov, head of cyber threat research at Group-IB (Europe), wrote, “This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations. Furthermore, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

One of the group members of 0ktapus has a Twitter and GitHub account that the Group-IB researchers have linked to a North Carolina IP address, which makes for an intriguing twist.

Researchers have speculated that espionage and financial gain may be behind the attacks, but neither explanation has been definitively proven.

Patrick Harr, chief executive officer of anti-phishing company SlashNext Inc., commented, “The Twilio and Cloudflare breaches demonstrate the rise in phishing attacks to successfully harvest credentials at the start of the attack chain to perpetrate a breach. These attacks were well planned and executed.”

Another phishing attack demonstrates how simple it is for attackers to circumvent purportedly secure multifactor authentication, as noted by Roger Grimes, a data-driven defence evangelist at security awareness training firm KnowBe4 Inc. He said, “Many cybersecurity leaders and organizations are touting the fake fact that MFA stops 99% of all hacking attacks. It doesn’t. It never will.”

The attack also demonstrates how vulnerable identity and access management are, according to Lior Yaari, CEO of cybersecurity startup Grip Security Ltd. Yaari said, “The industry should think about removing the burden of logins and passwords from employees who are susceptible to social engineering and sophisticated phishing attacks. The best proactive remediation effort companies can make is to have users reset all their passwords, especially Okta, because the extent and cause of the breach are still unknown.”