Full Report
A threat actor dubbed “Oktapus” / “ScatterSwine” conducted a widespread SMishing campaign against 136 organizations, and in some cases (Such as MailChimp, DoorDash and Digital Ocean) was successful in gaining initial access to their systems and exfiltrating customer data. One ...
Analysis Summary
# Incident Report: The "Oktapus" (ScatterSwine) SMishing Campaign
## Executive Summary
A sophisticated threat actor group known as "Oktapus" (or "ScatterSwine") targeted over 130 organizations—notably Twilio, MailChimp, DoorDash, and DigitalOcean—using targeted SMishing (SMS Phishing) attacks. By harvesting Okta credentials and bypass codes, the attackers successfully breached internal networks, leading to the exfiltration of sensitive customer data and the pivoting into downstream client environments.
## Incident Details
- **Discovery Date:** August 2022 (Widely publicized discovery)
- **Incident Date:** July – August 2022
- **Affected Organizations:** 136+ organizations (including Twilio, MailChimp, Cloudflare, DoorDash, DigitalOcean)
- **Sector:** Technology, FinTech, Retail, Services
- **Geography:** Global (Primary focus on United States)
## Timeline of Events
### Initial Access
- **Date/Time:** July 2022
- **Vector:** Targeted SMS Phishing (SMishing)
- **Details:** Employees received text messages with links to spoofed login pages (e.g., `[company]-okta[.]com`). These pages intercepted corporate credentials and 2FA codes in real-time.
### Lateral Movement
- Using stolen Okta sessions, attackers accessed internal systems such as administrative consoles and customer support dashboards. In the Twilio breach, they used these permissions to access internal consoles.
### Data Exfiltration/Impact
- **Twilio:** Access to 125 customers' data; unauthorized access to Authy accounts (registered new devices).
- **DigitalOcean:** Attackers utilized the Twilio breach to intercept password reset emails for several customers.
- **MailChimp:** Unauthorized access to internal tools allowed attackers to view customer data and mailing lists.
### Detection & Response
- **Detection:** Discovered via internal security monitoring of unauthorized device registrations and employee reporting of suspicious SMS.
- **Response Actions:** Revocation of compromised credentials, mandatory password resets, and hardware security key enforcement.
## Attack Methodology
- **Initial Access:** SMS Phishing (SMishing) with tailored social engineering.
- **Persistence:** Registration of attacker-controlled devices to Multi-Factor Authentication (MFA) services (e.g., Okta, Authy).
- **Privilege Escalation:** Harvesting high-privilege administrative credentials through phishing.
- **Defense Evasion:** Use of legitimate-looking domain names and mimicking internal SSO portals.
- **Credential Access:** Real-time interception of usernames, passwords, and 2FA tokens via transparent proxy/phishing kits.
- **Discovery:** Accessing internal helpdesk and customer management dashboards to identify high-value targets.
- **Lateral Movement:** Pivoting from service provider environments (Twilio/MailChimp) to their downstream customers' accounts.
- **Collection:** Exporting customer lists, contact info, and internal API keys.
- **Exfiltration:** Direct download of customer databases and mailing lists through compromised admin tools.
- **Impact:** Significant data breach affecting downstream supply chains.
## Impact Assessment
- **Financial:** High costs associated with incident response, legal fees, and potential regulatory fines.
- **Data Breach:** Thousands of customer contact details, mailing lists, and 2FA device registries compromised.
- **Operational:** Temporary suspension of internal tools; emergency migration to hardware-based MFA.
- **Reputational:** Significant brand damage to major tech providers serving as the "trust layer" of the internet.
## Indicators of Compromise
- **Network indicators:**
- `okta-twilio[.]com`
- `mailchimp-okta[.]com`
- `door-okta[.]com`
- `m-okta[.]org`
- **File indicators:** N/A (Web-based campaign)
- **Behavioral indicators:** Login attempts from unknown IP ranges; new MFA device enrollment from outside the corporate network; unusual access patterns in customer support consoles.
## Response Actions
- **Containment:** Terminated active Okta sessions and rotated API keys.
- **Eradication:** Removed unauthorized devices from Authy and Okta accounts.
- **Recovery:** Restoration of customer accounts and notification of affected downstream users.
## Lessons Learned
- **MFA Vulnerability:** Traditional 2FA (SMS/TOTP) is vulnerable to "Man-in-the-middle" phishing.
- **Supply Chain Risk:** A breach at a service provider (Twilio/Mailchimp) creates a massive "blast radius" for their corporate clients.
- **Speed of Attack:** The attackers moved from initial SMS to data exfiltration within minutes.
## Recommendations
- **Hardware MFA:** Implement FIDO2/WebAuthn-compliant hardware security keys (e.g., YubiKeys) to prevent phishing-based session interception.
- **SSO Monitoring:** Alert on new device enrollments and logins from non-managed devices.
- **Domain Monitoring:** Proactively monitor for "typosquatting" domains mimicking company SSO portals.
- **Employee Training:** Enhance training to include the recognition of SMS-based social engineering.