Starting in 2022, the group broadened its targets, focusing on companies in the cable telecoms, email, and tech sectors. They later joined forces with the ALPHV/BlackCat ransomware group. Initially, they were involved in SIM swaps and account theft, especially targeting individuals with cryptocurrency assets. By the end of 2022, their activities shifted to phishing, mass password resets for compromised service providers, and data theft.
This year, the sectors they attacked encompassed gaming, hospitality, retail, manufacturing, technology, and finance, as well as managed service providers (MSPs). After partnering with ALPHV/BlackCat, they expanded their tactics to both data theft and encryption.
Microsoft’s analysis highlights the group’s increased sophistication and aggression. They’ve even resorted to physical threats to further their objectives.
Surprisingly, Octo Tempest became an affiliate of the ALPHV/BlackCat ransomware-as-a-service operation, with a focus on deploying ransomware on both Windows and Linux, specifically VMware ESXi servers.
Microsoft noted the uniqueness of this collaboration since Eastern European ransomware entities traditionally avoided partnerships with native English-speaking criminals. Recent attacks span across various sectors, from gaming to legal to financial services.
Tactics and Techniques
Microsoft describes Octo Tempest as highly organized, boasting members with considerable technical prowess. Their approach often involves:
- Advanced social engineering targeting tech administrators.
- Impersonation, including mimicking speech in phone calls.
- Deceptive tactics like having victims install certain software, phishing, buying credentials, SMS phishing, SIM-swapping, or even direct threats of violence.
- Extensive reconnaissance, where they gather critical information to further their intrusion.
Microsoft further elaborates that the group goes lengths to hide their tracks, including targeting security personnel to disable safety measures. Their arsenal includes tools like Jercretz and TruffleHog for credential hunting, as well as many open-source tools.
They employ unique techniques for data transfer, using Azure Data Factory to blend with regular big data operations. Additionally, they’ve been found using legitimate backup solutions, such as Veeam and CommVault, to expedite data transfers.
Given their use of social engineering and varied tools, Microsoft admits that detecting Octo Tempest’s activities is challenging. Nonetheless, they recommend monitoring identity-related processes, Azure setups, and endpoints as a starting point.
At its core, Octo Tempest is financially driven, seeking profit through cryptocurrency theft, data extortion, or system encryption for ransoms.