The hackers that breached Twilio earlier this month also compromised more than 130 organizations during their hacking spree that netted the credentials of close to 10,000 employees.
Twilio's recent network intrusion allowed the hackers to access the data of 125 Twilio customers and companies — including end-to-end encrypted messaging app Signal — after tricking employees into handing over their corporate login credentials and two-factor codes from SMS phishing messages that purported to come from Twilio’s IT department. At the time, TechCrunch learned of phishing pages impersonating other companies, including a U.S. internet company, an IT outsourcing company and a customer service provider, but the scale of the campaign remained unclear.
Now, cybersecurity company Group-IB says the attack on Twilio was part of a wider campaign by the hacking group it's calling "0ktapus," a reference to how the hackers predominantly target organizations that use Okta as a single sign-on provider.
Group-IB, which launched an investigation after one of its customers was targeted by a linked phishing attack, said in findings shared with TechCrunch that the vast majority of the targeted companies are headquartered in the U.S. or have U.S.-based staff. The attackers have stolen at least 9,931 user credentials since March, according to Group-IB’s findings, with more than half containing captured multi-factor authentication codes used to access a company's network.
"On many occasions, there are images, fonts or scripts that are unique enough that they can be used to identify phishing websites designed with the same phishing kit," Roberto Martinez, a senior threat intelligence analyst at Group-IB, told TechCrunch. "In this case, we found an image that is legitimately used by sites leveraging Okta authentication being used by the phishing kit."
“Once we located a copy of the phishing kit, we started digging deeper to get a better understanding of the threat. The analysis of the phishing kit revealed that it was poorly configured and the way it had been developed provided an ability to extract stolen credentials for further analysis," said Martinez.
While it's still not known how the hackers obtained phone numbers and the names of employees who were then sent SMS phishing messages, Group-IB notes that the attacker first targeted mobile operators and telecommunications companies and “could have collected the numbers from those initial attacks.”
Group-IB wouldn’t disclose the names of any of the corporate victims but said the list includes “well-known organizations,” most of which provide IT, software development and cloud services. A breakdown of the victims shared with TechCrunch shows that the threat actors also targeted 13 organizations in the finance industry, seven retail giants and two video game organizations.
During its investigation, Group-IB discovered that code in the hacker's phishing kit revealed configuration details of the Telegram bot that the attackers used to drop compromised data. (Cloudflare first revealed the use of Telegram by the hackers.) Group-IB identified one of the Telegram group's administrators who goes by the handle "X," whose GitHub and Twitter handles suggest they may reside in North Carolina.
Group-IB says it’s not yet clear if the attacks were planned end-to-end in advance or whether opportunistic actions were taken at each stage. “Regardless, the 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time,” the company added.
The Moscow-founded startup Group-IB was co-founded by Ilya Sachkov, who was the company's chief executive until September 2021 when Sachkov was detained in Russia on charges of treason after allegedly transferring classified information to an unnamed foreign government, claims Sachkov denies. Group-IB, which has since moved its headquarters to Singapore, maintains the co-founder's innocence.
Hugh Bonneville also reflected on Paddington's surprise appearance alongside the Queen during the Platinum Jubilee celebrations.
Idris Elba says he was perfectly cast for his latest film, the survival adventure Beast.
Elizabeth Debicki is the latest actress to take on the role of the princess in the upcoming fifth series of The Crown.
Baltasar Kormákur has a reputation for survival movies, pitting his actors against the natural world.
The veteran actor starred in numerous films shot at the film studio.
The twisty new Netflix thriller unfolds on the streets of London, with Hugh Bonneville as a judge hiding dark secrets.
Thirty years on from its release, the Twin Peaks movie is now regarded as one of its directors finest films. But it wasn’t always like that.
British rapper Stormzy showed his support for the actor at the premiere.
The Don’t Worry Darling filmmaker has spoken for the first time about the incident.
There's something sinister lurking behind the gates and opulent furniture of wealthy Londoners in Babak Anvari's new movie 'I Came By'.
HIT PAUSE: Amanda Whiting tries to work out if HBO’s new hidden-camera comedy is the height of hilarity, or simply unbearable. Consider this your warning
The actress’ sons said the outpouring of kindness following their mother’s death had shown them she also belonged ‘to her fans’.
The actor plays member of the London elite and former High Court judge Sir Hector Blake in the new film.
The British actor said the company’s response to abuse directed at the Obi-Wan Kenobi star ‘fulfils my time where I didn’t get the support’.
As a retired judge with a dark secret, Hugh Bonneville's performance is one of the big surprises of twisty thriller 'I Came By'.
The Amazing Spider-Man star has defended method acting, insisting it is not about being an 'a***hole'.
The director admitted he ‘cannot wait’ for the film’s release, as Netflix shared a picture of the ‘glam European beach vacation whodunnit’.
The actor defended the process in a recent interview.
The actor said the claims were ‘all false’ and that ‘nothing happened’ during the alleged incidents.
The 11-year-old boy earned the support of celebrities in 2020 after he was bullied for his disability
