Microsoft has detected a threat actor linked to the gang that recently launched high-profile cyberattacks on casinos in Las Vegas. In rare cases, the criminals involved in this latest raft of attacks have even issued victims with death threats.
“Microsoft has been tracking activity related to the financially motivated threat actor Octo Tempest, whose evolving campaigns represent a growing concern for organizations across multiple industries,” said the tech giant in a bulletin released on October 25th.
It tracks Octo Tempest as overlapping with Scattered Spider, which launched the September attacks on the MGM and Caesars casino chains in Nevada.
“Octo Tempest leverages broad social engineering campaigns to compromise organizations across the globe with the goal of financial extortion,” said Microsoft. “With their extensive range of tactics, techniques, and procedures (TTPs), the threat actor, from our perspective, is one of the most dangerous financial criminal groups.”
What makes Octo Tempest unusual is that it’s believed to be composed of native-English speaking criminals, who this year allied themselves with Russian-linked ransomware gang ALPHV/BlackCat.
“This is notable in that, historically, Eastern European ransomware groups refused to do business with native English-speaking criminals,” said Microsoft.
In June, Octo Tempest began using BlackCat’s ransomware, delivering payloads targeting both Windows and Linux operating systems.
“Octo Tempest progressively broadened the scope of industries targeted for extortion,” added Microsoft. “Including natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services.”
The group is believed by Microsoft to be motivated purely by finanical gain, and ruthless to boot. The tech giant shared screenshots in which gang members threatened targets with the murder of loved ones if they refused to surrender passwords and other access codes.
“Send ur [sic] login and everything goes away,” read one. “We delete ur info after we have what we need […] or u can get ur house shot […] u pick one.”
Another read: “If we don’t get ur […] login in the next 20 minutes were [sic] sending a shooter to your house […] ur wife is gonna get shot.”
Once Octo Tempest criminals have gained the access they need, they “carry out broad searches across knowledge repositories to identify documents related to network architecture, employee onboarding, remote access methods, password policies, and credential vaults.”
Microsoft added: “Octo Tempest then performs exploration through multi-cloud environments enumerating access and resources across cloud environments, code repositories, server and backup management infrastructure, and others.”
At that point, the gang members inventory databases and establish “footholds to aid further phases of the attack.”
Once they have an intimate knowledge of how a target organization works, they leverage that to conduct further social engineering attacks to compromise the victim organization even more. The ultimate goal is to profit illegally from cryptocurrency theft, ransomware attacks, and extortion.
Microsoft warns that the sophistication of Octo Tempest’s TTPs will not make it easy for cybersecurity professionals to track down, but has issued general guidelines to help “surface their activity.”