Full Report
Over 130 companies tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.
Analysis Summary
# Threat Actor: 0ktapus
## Attribution & Identity
Researchers associate this activity with the threat group nicknamed **0ktapus**, due to their focused abuse of the identity and access management firm, **Okta**.
## Activity Summary
0ktapus conducted a sprawling, multi-pronged phishing campaign targeting over 130 organizations globally, resulting in the compromise of 9,931 accounts. The campaign appears to have started by targeting telecommunications companies, possibly to gather phone numbers for the subsequent MFA-based attacks. The ultimate goal appears to be accessing company mailing lists or customer-facing systems to potentially facilitate supply-chain attacks (as seen in a related incident involving DoorDash). The campaign successfully compromised Okta identity credentials and Multi-Factor Authentication (MFA) codes from numerous users.
## Tactics, Techniques & Procedures
- **Phishing:** Sending text messages (SMS) containing links to malicious sites.
- **Credential Harvesting:** Directing victims to fake Okta authentication pages to steal login credentials.
- **MFA Interception:** Tricking victims into submitting valid MFA codes used to secure their logins.
- **Initial Access via Telecommunications Targets:** Theory suggests targeting mobile operators/telecoms first to acquire phone numbers needed for SMS phishing.
- **Supply Chain Precursor:** Initial compromises of mostly software-as-a-service (SaaS) firms were considered Phase One, intended to enable later access to customer-facing systems or mailing lists.
## Targeting
- **Sectors:** Software-as-a-Service (SaaS) firms, telecommunications companies (initial potential targets).
- **Geography:** Victims observed across 68 countries, with 114 US-based firms impacted.
- **Victims:** Over 130 organizations affected. **DoorDash** publicly confirmed it was targeted in an attack bearing the hallmarks of 0ktapus, leading to the theft of personal information (names, phone numbers, email, delivery addresses) from customers and delivery personnel using stolen vendor credentials.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named, but the core mechanism heavily relies on custom **phishing sites mimicking Okta authentication pages.**
- **Infrastructure (C2, domains, IPs):** The delivery mechanism utilized links sent via **text messages (SMS)** to direct users to the credential harvesting sites.
## Implications
The 0ktapus campaign demonstrates adversaries' ability to effectively bypass robust security measures like MFA using relatively simple social engineering techniques. The success across 130+ firms highlights a significant threat to organizational identity management systems. The stated ultimate goal of accessing mailing lists strongly suggests aspirations for large-scale supply-chain compromise.
## Mitigations
- Implementing defense strategies beyond simple password and MFA credential harvesting, as MFA codes were successfully bypassed.
- Good hygiene practices concerning reviewing URLs and passwords.
- Researchers specifically recommended using **FIDO2** protocols to mitigate these types of campaigns.