A mysterious hacking gang stole around 10,000 login passwords from the personnel of 130 firms

By Somya Agrawal Published on August 26, 2022, 19:34 IST

The report published on Thursday asserts that the identity verification and password management tool Okta is where it all began. Researchers assert that a mysterious hacking gang managed to get around 10,000 login passwords from the personnel of 130 firms in the largest supply chain attack on an American company. It’s possible that the hacking campaign lasted for several months. Research on the hacking attempt was conducted by cybersecurity firm Group-IB, which got interested in it after one of its clients fell for phishing and asked for help.

The investigation shows that the threat actor known as “0ktapus” used simple tactics to target staff members of various well-known companies. Using stolen login credentials, the hacker(s) would access corporate networks, steal data, and then enter the network of another business. The victims include well-known software firms like Twilio, MailChimp, Cloudflare, and others. Data was stolen from 125 different Twilio users in total.

Even this year, Okta has been the victim of numerous hacks. It is clear that the “0ktapus” campaign, like many other recent hacking instances, was surprisingly successful in infiltrating a variety of company networks using basic intrusion strategies, even though we cannot be certain in either direction. Researchers claim that the hackers chose to use a phishing toolkit, a fairly popular tactic, to target employees of the companies they sought to infiltrate. On the dark web, you can purchase these preconfigured hacking tool packages for typically very low prices.

In this case, Okta, an identity and access management provider that provides single sign-on services to platforms all across the internet, was employed by the businesses that the hackers initially targeted. Using the tools, the threat actor sent SMS phishing messages to victims that looked a lot like the ID authentication screens provided by Okta. In the process, the victims would submit their login, password, and multi-factor authentication code while feigning compliance with standard security procedures. The data was then secretly forwarded to a Telegram account that the cybercriminals controlled once they entered this information.

Using the victims’ Okta credentials, the threat actor could then access the organizations where they had worked. More advanced supply chain hacks that exploited the network access to acquire firm data then targeted the larger corporate ecosystems of which the enterprises were a part.

Group-IB researchers believe they have found a person who may be connected to the phishing campaign. Using Group-own IB’s unique methods, researchers were able to find Twitter and Github accounts that might be linked to a hacker engaging in the effort. It is known that they join Telegram channels that are widely used by cybercriminals, and they go by the username “X.” The original identity of the hacker has not yet been revealed by the researchers. Researchers claim that both profiles share the same username, profile picture, and user identity as a software developer who is 22 years old. Analysts claim that the Github account shows the user is based in North Carolina.