Octo Tempest: the hacking group that resorts to death threats

Microsoft has warned companies to be on guard from attacks from the Octo Tempest hacking group, which has resorted to death threats among many other malicious tactics.

Microsoft describes Octo Tempest as “one of the most dangerous financial criminal groups”, warning that it uses unusual techniques to target organisations and high-net-worth individuals.

Octo Tempest worms its way into companies in a variety of ways. These range from conventional social engineering, where attackers convince staff to install remote access utilities, through to rarer tactics, such as mobile phone SIM-swapping. Here, they gain control of an employee’s phone number and use that to bypass two-factor authentication.

In rare case, Microsoft has also seen the group use stolen personal information such as employees’ home addresses to make death threats. Screenshots released by Microsoft show Octo Tempest attackers threatening to “send a shooter to your house” and warning “ur [sic] wife is gonna get shot” if a target doesn’t hand over logins.

Octo Tempest’s targets: data and cryptocurrency

Once inside an organisation, Octo Tempest is generally after data or cryptocurrency.

“Like in most cyberattacks, data theft largely depends on the data readily available to the threat actor,” Microsoft writes in a lengthy blog on the organisation’s tactics. “Octo Tempest accesses data from code repositories, large document management and storage systems, including SharePoint, SQL databases, cloud storage blobs/buckets and email”.

It goes on to say that Octo Tempest uses “legitimate management clients” such as Azure SQL Query Editor, Cerebrata, DBeaver and MongoDB Compass “for the purpose of connection and collection”.

Microsoft adds that the group “employs a unique technique using the data movement platform Azure Data Factory and automated pipelines to extract data to external actor hosted Secure File Transfer Protocol (SFTP) servers, aiming to blend in with typical big data operations”.

The attackers will normally deploy ransomware after data has been stolen, with recovery made particularly difficult because of the techniques used. “Many of these communications have been leaked publicly, causing significant reputational damage to affected organisations,” Microsoft adds.

Defending against Octo Tempest

Needless to say, defending against such attacks isn’t easy, and Microsoft has a long list of counter measures on its blog. These include constant review and scrutiny of any administration changes, and closely examining the use of any remote admin tools, even those that are already in legitimate use.

Ensuring that only a minimal amount of staff have access to critical workloads is “paramount” to defending against such attacks, Microsoft adds.