Researchers say that a mysterious “threat actor” (a fancy term for a hacker or hacker group) has managed to steal nearly 10,000 login credentials from the employees of 130 organisations, in the latest far-reaching supply chain attack on corporate America. It began with the identify verification and password management tool Okta, according to the report published Thursday. The hacking campaign could have lasted months.
The news comes from research conducted by cybersecurity firm Group-IB, which began looking into the hacking campaign after a client was phished and reached out for help. The research shows that the threat actor behind the campaign, which researchers have dubbed “0ktapus,” used basic tactics to target staff from droves of well-known companies. The hacker(s) would use stolen login information to gain access to corporate networks before going on to steal data and then break into another company’s network. Many of the victims are prominent software companies, including firms like Twilio, MailChimp, Cloudflare, and others. Some 125 Twilio companies using Twilio had their data compromised.
“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organisations,” researchers wrote in their blog Thursday. “Furthermore, once the attackers compromised an organisation they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”
How the Hacking Campaign Worked
Unfortunately, this isn’t a wholly unfamiliar story. It’s been a pretty tough couple years for corporate cybersecurity, tough enough to inspire the question: do bluechip tech companies just totally suck at protecting themselves, or do hackers keep getting lucky, or both? It isn’t even the first time Okta has been hacked this year. While we can’t say for certain either way, what is clear is that the “0ktapus” campaign, like a lot of other recent hacking episodes, was remarkably successful at compromising a broad array of corporate networks using elementary intrusion techniques.
Researchers say that the hackers used a pretty standard tool, a phishing toolkit, to target employees of the companies that they wanted to breach. Such kits are prepackaged hacking tools that can be purchased — usually for pretty low prices — on the dark web. In this case, the hackers first went after companies that were users of Okta, the identity and access management firm that provides single sign-on services to platforms all across the web. Using the toolkit, the threat actor sent SMS phishing messages to victims that were styled to look just like the ID authentication pages provided by Okta. Thinking that they were engaging in a normal security procedure, victims would enter their information — including username, password, and multi-factor authentication code.
After they entered this information, the data was then secretly funneled to a Telegram account controlled by the cybercriminals. From there, the threat actor could use the Okta credentials to log into the organisations that the victims worked for. The network access was subsequently abused to steal company data and engage in more sophisticated supply chain attacks that targeted the broader corporate ecosystems that the firms were a part of.
It isn’t exactly clear how the hacker or hackers would have initially gained access to the phone numbers of the staff members that they targeted, though such information can sometimes be culled from previous data breaches, or can be purchased on the dark web.
Who is Behind the Hacking Campaign?
Group-IB researchers believe they have actually uncovered the identity of a person potentially connected to the phishing campaign. Using Group-IB’s own proprietary tools, researchers were able to track down Twitter and Github accounts that may be linked to a hacker associated with the campaign. That person goes by the username “X,” and they are known to be active in Telegram channels commonly used by cybercriminals. Researchers said that both accounts share the same username and profile picture, and both also claim that the user is a 22-year-old software developer. The Github account suggests that the user is based in North Carolina, researchers write.
Group-IB has not published Subject X’s identity, though they have provided additional analysis of the tactics and techniques used in the hacking campaign. Context clues uncovered during the investigation “may indicate that the attacker is inexperienced,” researchers write, though they also note that whoever was responsible for the campaign did a pretty good job at pwning their targets. The report states:
“While it is possible that the threat actor may have been lucky in their attacks it is far more likely that they carefully crafted their attacks in order to launch the sophisticated supply chain attacks outlined above. It is not yet clear if the attacks were planned end-to-end in advance or whether opportunistic actions were taken at each stage. Regardless, it is clear that the attack has been incredibly successful and the full scale of the attack may not be known for some time.”
You don’t have to be hardened cybercriminal to use a phishing toolkit. Indeed, the way the cybercrime economy is structured today allows even the most technically inexperienced web user to procure powerful hacking tools that can cause a lot of damage. It’s unfortunate, but, if you want to buy a cyberweapon that can take down a website or steal someone’s MFA codes, all you typically need is a VPN, a little crypto, and a lack of scruples.
Signal and Others Hacked
Though we don’t know who is responsible for this phishing campaign, what is clear is that they’ve created a mess. The terrible thing about supply chain attacks is that they tend to have a cascading effect. Because of the way the software industry is structured today (think: a network of enterprise systems, wherein each tech company outsources some or most IT processes to some other company), an intrusion into one business can sometimes spell trouble for dozens (or hundreds) of others. Case in point: we are now seeing a slow trickle of firms announce data breaches in connection with this hacking episode, and it’s unlikely it’s over.
Most recently, the food delivery app DoorDash announced on Thursday that a data breach had taken place. In a blog post, the company noted that cybercriminals had managed to phish one of its third-party vendors, potentially exposing certain corporate information, as well as customer information — including the names, email addresses, delivery addresses and phone numbers of an undisclosed amount of app users.
Meanwhile, the hack of Twilio — a widely used communications provider — has spurred security issues for a host of companies that use its services. Twilio has admitted that the data of as many as 125 clients was potentially exposed by the incident. Most prominently, the hack spawned a security breach for encrypted chat app Signal. Signal, which uses Twilio for phone number verification services, saw some 1,900 user accounts partially affected — a pretty unfortunate turn of events for a company that prides itself on keeping user data secure. It appears that the threat actor was attempting to gain access to Signal conversations and user data, though Signal has stressed that message history and other sensitive information was not affected by the incident.
At the same time, other companies such as newsletter provider MailChimp, which was hacked back in April, seem to have been mined for information on users associated with cryptocurrency firms. Hypothetically, such information could be used to target crypto users with additional phishing scams.
Given the number of companies ensnared in this debacle, it’s unlikely that this is the last we’ll hear about the hacking campaign — something that Group-IB seemed to acknowledge in its write-up Thursday. “In line with Group-IB’s mission of fighting cybercrime, we will continue to explore the methods, tools, and tactics used by these phishing actors,” the researchers wrote. “We will also continue to inform and warn targeted organisations worldwide.”