For a long time, it was considered virtual suicide for would-be cybercriminals in the US or UK to attempt to get into the ransomware game. They would be hunted by the most active and advanced law enforcement agencies in the world, and would be frozen out of the greater Russian-dominated ransomware and botnet ecosystem.
The times seem to be changing, at least according to Microsoft’s new profile on MGM and Caesars hackers “Octo Tempest.” Also previously called “Scattered Spider” and “Oktapus” by other security researchers, the group appears to be composed of native speakers of English able to convince organizations that they are a legitimate employee over the phone.
Western cybercriminals forging relationships with Russian outfits
What sets Octo Tempest apart from other cybercriminals is the highly advanced social engineering capability, something that ransomware gangs typically struggle with. The group’s current modus operandi is to target support and help desk employees with phone calls or text messages, doing extensive research firsthand to successfully pose as a member of the organization who needs help.
While social engineering is Octo Tempest’s best trick, the group is not above simpler approaches when available; Microsoft notes they have simply purchased employee logins from other cybercriminals on the dark web, and in at least one case made crude threats to shoot the wife of a target if they did not give up their login information.
Octo Tempest’s skill lies mostly in manipulation of target employees, but the group has at least basic hacking chops once it gets into a network in using tools to quickly find items of interest and to obfuscate the exfiltration of this data. In terms of ransomware, it has become an affiliate of the ALPHV/BlackCat group. This is something of a novel development as English-speaking cybercriminals thought to be based in the US or Europe are usually shunned by the major ransomware-as-a-service providers.
Perps of MGM and Caesars hacks now considered among world’s leading financial threats
Octo Tempest was first spotted in 2022 and got off to a relatively modest start, stealing data seemingly for quick sale on the dark web or for its own use (often attempting to break into crypto wallets). The group moved into data extortion in 2023, and its ransomware attacks were first spotted in June of this year. The group had several smaller strikes before it hit Caesars and MGM, racking up a $15 million payment from the former and leaving the latter in chaos for weeks after it refused to pay.
The group is now, at least according to Microsoft’s report, one of the leading financial threats to organizations throughout the world. The cybercriminals have earned this lofty status primarily on the basis of their highly skilled social engineering, and proven ability to execute SIM swap attacks.
There are a number of ways to address the threat this group poses, many of which overlap with the more general advice always given for stopping ransomware attacks: consider AI-based network monitoring, stay on top of updates and patches, ensure that incident response plans are up to date and practiced, and so on. But this particular group’s strength is in tricking employees in a way that they are not accustomed to seeing from threat actors, so awareness and training across IT support roles is likely the most productive first step.