The hackers that breached Twilio earlier this month also compromised over 130 organizations during their hacking spree that netted the credentials of close to 10,000 employees.
Twilio’s recent network intrusion allowed the hackers access the data of 125 Twilio customers and companies — including end-to-end encrypted messaging app Signal — after tricking employees into handing over their corporate login credentials and two-factor codes from SMS phishing messages that purported to come from Twilio’s IT department. At the time, TechCrunch learned of phishing pages impersonating other companies, including a U.S. internet company, an IT outsourcing company and a customer service provider, but the scale of the campaign remained unclear.
Now, cybersecurity company Group-IB says the attack on Twilio was part of a wider campaign by the hacking group it’s calling “0ktapus,” a reference to how the hackers predominantly target organizations that use Okta as a single sign-on provider.
Group-IB, which launched an investigation after one of its customers was targeted by a linked phishing attack, said in findings shared with TechCrunch that the vast majority of the targeted companies are headquartered in the U.S. or have U.S.-based staff. The attackers have stolen at least 9,931 user credentials since March, according to Group-IB’s findings, with more than half containing captured multi-factor authentication codes used to access a company’s network.
“On many occasions, there are images, fonts, or scripts that are unique enough that they can be used to identify phishing websites designed with the same phishing kit,” Roberto Martinez, a senior threat intelligence analyst at Group-IB, told TechCrunch. “In this case, we found an image that is legitimately used by sites leveraging Okta authentication, being used by the phishing kit.”
“Once we located a copy of the phishing kit, we started digging deeper to get a better understanding of the threat. The analysis of the phishing kit revealed that it was poorly configured and the way it had been developed provided an ability to extract stolen credentials for further analysis,” said Martinez.
While it’s still not known how the hackers obtained phone numbers and the names of employees who were then sent SMS phishing messages, Group-IB notes that the attacker first targeted mobile operators and telecommunications companies and “could have collected the numbers from those initial attacks.”
Group-IB wouldn’t disclose the names of any of the corporate victims but said the list includes “well-known organizations,” most of which provide IT, software development and cloud services. A breakdown of the victims shared with TechCrunch shows that the threat actors also targeted 13 organizations in the finance industry, seven retail giants, and two video game organizations.
During its investigation, Group-IB discovered that code in the hacker’s phishing kit revealed configuration details of the Telegram bot that the attackers used to drop compromised data. (Cloudflare first revealed the use of Telegram by the hackers.) Group-IB identified one of the Telegram group’s administrators who goes by the handle “X,” whose GitHub and Twitter handles suggest they may reside in North Carolina.
Group-IB says it’s not yet clear if the attacks were planned end-to-end in advance or whether opportunistic actions were taken at each stage. “Regardless, the 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time,” the company added.
The Moscow-founded startup Group-IB was co-founded by Ilya Sachkov, who was the company’s chief executive until September 2021 when Sachkov was detained in Russia on charges of treason after allegedly transferring classified information to an unnamed foreign government, claims Sachkov denies. Group-IB, which has since moved its headquarters to Singapore, maintains the co-founder’s innocence.