The hackers who successfully breached Twilio and targeted Cloudflare have been going after dozens of companies across the software, finance, and telecommunications industries, according to security researchers.
The hackers used a phishing kit dubbed “Oktapus” to target over 130 organizations, most of which are based in the US, according to cybersecurity firm Group-IB. The company published a report on Thursday covering the tools used and revealing the possible identity of one of the hackers.
A phishing kit is a set of software tools that can create phishing messages and websites designed to trick unsuspecting users into typing in their login credentials. In this case, the Oktapus hackers have been sending out SMS messages to employees at various companies. These messages lead to seemingly legitimate, but ultimately fake, Okta login pages capable of recording passwords.
“From the victim’s point of view, the phishing site looks quite convincing as it is very similar to the authentication page they are used to seeing. Victims are prompted for their username and password, and once provided, a second page is shown asking for their 2FA (two-factor authentication) code,” Group-IB wrote in the report. The hackers will then quickly use the login credentials, including the 2FA code, to break into an employee’s corporate account.
Group-IB tracked down the Oktapus group’s activities by searching the internet for an image the hackers added to their phishing pages. This led the security firm to uncover the various companies the Oktapus phishing kit has been targeting. Group-IB also managed to download a copy of the hackers’ phishing kit, which the Oktapus group shared on a file-hosting service.
The security firm’s investigation shows that Oktapus stole at least 9,931 user credentials since March, including 5,441 multi-factor authentication codes. Among those stolen user credentials, 3,120 were tied to unique email domains belonging to 136 organizations.
“Most companies in the victims’ list are providing IT, software development, and cloud services,” Group-IB said. The hackers’ likely goal has been to infiltrate the companies to steal even more information, including private and confidential data.
“According to the compromised data we analyzed, the actors started their attacks targeting mobile operators and telecommunications companies,” Group-IB said. This might be how the hackers have been obtaining phone numbers of employees at the various companies they’ve been trying to infiltrate. Some of the phishing domains used mention AT&T, T-Mobile, and MetroPCS, along with Best Buy, Coinbase, and Binance.
Subject X
Group-IB then examined a channel on the Telegram messaging app that the phishing kit uses to collect compromised user data. This led the security firm to uncover a user named X, who administered the Telegram channel.
“Using Group-IB Threat Intelligence to monitor Telegram channels used by cybercriminals, we were able to identify a few channels where Subject X was active at some point. One of the posts made by Subject X in 2019 led us to his Twitter account. The same tool also gave us the name and last name the administrator of the channel was using, before adopting the name ‘X’,” the security firm said.
Group-IB says it’s also uncovered a GitHub account belonging to the alleged hacker, which contains a profile and suggests the user is based in North Carolina. Group-IB didn't immediately respond to a request for comment. But presumably, the security firm has handed over the details to law enforcement.