Octo Tempest: a gang with an international reach.
By Tim Nodar, CyberWire senior staff writer
Oct 27, 2023

English-speaking, and willing to make violent threats against its prospective victims.

Octo Tempest: a gang with an international reach.

Microsoft describes “Octo Tempest,” a financially motivated threat actor that uses social engineering to compromise organizations around the world.

Eastern European gangs overcome their reservations about anglophone colleagues.

“In mid-2023," Microsoft researchers write. "Octo Tempest became an affiliate of ALPHV/BlackCat, a human-operated ransomware as a service (RaaS) operation, and initial victims were extorted for data theft (with no ransomware deployment) using ALPHV Collections leak site. This is notable in that, historically, Eastern European ransomware groups refused to do business with native English-speaking criminals. By June 2023, Octo Tempest started deploying ALPHV/BlackCat ransomware payloads (both Windows and Linux versions) to victims and lately has focused their deployments primarily on VMWare ESXi servers. Octo Tempest progressively broadened the scope of industries targeted for extortion, including natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services.” Among the gang's victims, the Record points out, was MGM Resorts. At the time of that attack, the group was being called  Scattered Spider0ktapus or UNC3944

Pushing social engineering into violent threats.

One of the more repellent features of Octo Tempest's activity is its willingness to make direct personal threats of violence to bully victims into giving up their credentials. A sample threat reads as follows (and we note that speaking English doesn't mean writing it well--the language is coarse, debased, and primitive): "if we dont get ur [redacted] login in the next 20 minutes were sending a shooter to ur house ur wife is gonna get shot if u dont fold it lmk [redacted] well send shooters to both LOL."

A “spectrum of motives,” but a growing threat actor complexity.

Roger Grimes, data-driven defense evangelist at KnowBe4, notes that similar tactics can be adapted to a range of adversarial purposes. “These are examples of highly sophisticated attacks across the spectrum of possible attacks and motives," he wrote. "Every organization must create its best defense-in-depth cyber defense plan using the best combination of policies, technical defenses, and education, to best mitigate the risk of these attacks. The methods and sophistication of these attacks must be shared to employees. They need lots of examples. Employees need to be able to recognize the various cyber attack methods and be taught how to recognize, mitigate, and appropriately report them. We know that 50% to 90% involve social engineering and 20% to 40% involve unpatched software and firmware, so whatever an organization can do to best fight those two attack methods is where they should likely start.”