Octo Tempest hackers target industries, Microsoft warns

Microsoft has disclosed the activities of a prolific financially motivated hacking group known as Octo Tempest, targeting a wide range of industries. These industries include telecommunications, BPO, email, tech services, gaming, hospitality, retail, MSPs, manufacturing, technology, and finance.

Octo Tempest is known for its use of social engineering attacks to gain initial access to privileged accounts, often targeting support and help desk personnel. The group has also been observed purchasing employee credentials and session tokens on the criminal underground market, or calling individuals directly to socially engineer them into performing actions such as installing RMM utilities, visiting fake login portals, or removing their FIDO2 tokens.

Once initial access is gained, Octo Tempest carries out reconnaissance of the environment and performs privilege escalation, often by exploiting stolen password policy procedures or downloading user, group, and role exports. The group has also been observed compromising security personnel accounts to impair the functioning of security products and tamper with security staff mailbox rules to delete emails from vendors.

In addition to its social engineering and privilege escalation techniques, Octo Tempest employs a broad arsenal of tools and tactics, including enrolling actor-controlled devices into device management software to bypass controls and replaying harvested tokens with satisfied MFA claims to bypass MFA.

This demonstrates the group’s extensive technical expertise and its ability to navigate complex hybrid environments. Octo Tempest has also been observed using a unique technique to compromise VMware ESXi infrastructure, installing the open-source Linux backdoor Bedevil, and then launching VMware Python scripts to run arbitrary commands against housed virtual machines.

Microsoft notes that Octo Tempest has been observed targeting a wide range of victims, including high-net-worth individuals and Fortune 500 companies. The group’s end goals vary between cryptocurrency theft and data exfiltration for extortion and ransomware deployment.

In late 2022 to early 2023, Octo Tempest began monetizing intrusions by extorting victim organizations for data stolen during their intrusion operations and in some cases even resorting to physical threats. In rare instances, the group has also resorted to fear-mongering tactics, targeting specific individuals through phone calls and texts and using personal information to coerce victims into sharing credentials for corporate access.

The sources for this piece include an article in TheHackerNews.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web