Octo Tempest

Threat Actor Profile Updated 7 days ago
Download STIX
Preview STIX
Octo Tempest, also known as Scattered Spider, is a financially motivated threat actor known for launching extensive campaigns featuring adversary-in-the-middle (AiTM) techniques, social engineering, and SIM-swapping capabilities. This native English-speaking collective has evolved to become a significant source of ransomware attacks, with Microsoft's Threat Intelligence Team warning that it has added RansomHub and Qilin to its repository for use in attacks. Octo Tempest has been linked to several high-profile hacks, including those on Las Vegas, Twilio, and BlackCat, and has partnered with RansomHub, a popular ransomware-as-a-service (RaaS) offering. The group first gained attention through its "oktapus" campaign, which targeted over 130 well-known organizations. Once gaining access to systems, Octo Tempest wraps its tentacles around valuable assets and collects additional credentials using third-party credential-harvesting tools against both cloud and on-premises assets. It employs unique techniques such as using Azure Data Factory and automated pipelines to extract data to external actor hosted Secure File Transfer Protocol servers, blending in with typical big data operations. Octo Tempest accesses data from code repositories, large document management and storage systems including SharePoint, SQL databases, cloud storage blobs/buckets, and email, using legitimate management clients for connection and collection. The goal of Octo Tempest remains financial gain, but the monetization techniques vary across industries between cryptocurrency theft and data exfiltration for extortion and ransomware deployment. The group uses its access to internal networks to carry out broad searches across knowledge repositories to identify documents related to network architecture, employee onboarding, remote access methods, password policies, and credential vaults. In rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals through phone calls and texts, along with physical threats to coerce victims into sharing credentials for corporate access.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Scattered Spider
4
Scattered Spider is a prominent threat actor group involved in cybercrime activities with malicious intent. The group employs various tactics to compromise its targets, including phishing for login credentials, searching SharePoint repositories for sensitive information, and exploiting infrastructur
UNC3944
3
UNC3944, also known as Scattered Spider and 0ktapus, is a financially motivated threat actor that has been active since 2021. Initially targeting telecommunication firms and tech companies, the group has expanded its range to include hospitality, retail, media, and financial services sectors. The gr
Ransomhub
2
RansomHub, a threat actor known for executing actions with malicious intent, has recently been linked to several high-profile cyber-attacks. The group is recognized for its ransomware attacks, which have resulted in significant data breaches at multiple companies. Christie, a prominent organization,
Qilin
2
Qilin, a notable threat actor in the cybersecurity landscape, has been significantly active over the last two years, compromising more than 150 organizations across 25 countries and various industries. Originally evolving from the Agenda ransomware written in Go, Qilin has since transitioned to Rust
Oktapus
1
Oktapus, a threat actor also known as Scattered Spider, Scatter Swine, and Muddled Libra, has been identified as a significant cybersecurity risk due to its sophisticated phishing campaigns. The group first gained notoriety in 2022 when it launched the Oktapus phishing campaign, targeting employees
Scatter Swine
1
Scatter Swine, also known by multiple names such as 0ktapus, Scattered Spider, UNC3944, and Muddled Libra, is a threat actor group that has been active since early 2022. The group first came to light in August 2022 when they executed smishing attacks against over 100 organizations, including Twilio
Muddled Libra
1
Muddled Libra is a notable threat actor known for its sophisticated use of cloud services, particularly Amazon Web Services (AWS) and Microsoft Azure, to execute cyberattacks. The group leverages legitimate cloud service provider (CSP) features to efficiently exfiltrate data. In AWS, Muddled Libra t
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Phishing
Esxi
Reconnaissance
Cybercrime
Extortion
Azure
Microsoft
RaaS
Windows
Mongodb
Sharepoint
AITM
Linux
Ransom
Encryption
Encrypt
LOTL
Malwarebytes
Rmm
Payload
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphvUnspecified
4
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2024-38112Unspecified
1
None
Source Document References
Information about the Octo Tempest Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
2 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
2 days ago
Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
2 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
2 days ago
Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
6 days ago
Octo Tempest group adds RansomHub and Qilin ransomware to its arsenal
DARKReading
7 days ago
Microsoft: Scattered Spider Widens Web With RansomHub & Qilin
DARKReading
5 months ago
The Rise of Social Engineering Fraud in Business Email Compromise
DARKReading
7 months ago
Millions of Microsoft Accounts Power Lattice of Automated Cyberattacks
CERT-EU
8 months ago
Protecting credentials against social engineering: Cyberattack Series | Microsoft Security Blog
CERT-EU
9 months ago
Meet Octo Tempest, 'Most Dangerous Financial' Hackers
BankInfoSecurity
9 months ago
Meet Octo Tempest, 'Most Dangerous Financial' Hackers
DARKReading
8 months ago
Scattered Spider Casino Hackers Evade Arrest in Plain Sight
CERT-EU
8 months ago
FBI and CISA warn against Scattered Spider triggered cyber attacks - Cybersecurity Insiders
Malwarebytes
8 months ago
Scattered Spider ransomware gang falls under government agency scrutiny | Malwarebytes
CERT-EU
8 months ago
Bolster Identity Security with Threat Detection & Response
DARKReading
8 months ago
Scattered Spider Casino Hackers Evade Arrest in Plain Sight
CERT-EU
8 months ago
FBI shares tactics of notorious Scattered Spider hacker collective
BankInfoSecurity
8 months ago
CISA, FBI Issue New Warning Following Las Vegas Cyberattack
CERT-EU
8 months ago
Sandworm, a Russian Threat Actor, Disrupted Power in Ukraine Via Cyberattack
Malwarebytes
9 months ago
Medical research data Advarra stolen after SIM swap | Malwarebytes