Twilio Breach Revealed to Be One of Many in Hacker Group 0ktapus’s Spree

By Spencer Hulse Spencer Hulse has been verified by Muck Rack's editorial team
Published on August 30, 2022

When it comes to cybersecurity, it is often the human factor that is the most vulnerable. That is why more and more companies are training employees to spot potential threats and increase their security awareness. But, despite training, incidents are still common. That includes a recent wide-reaching cybersecurity issue caused by a hacker group that resulted in more than 130 breaches, with Twilio being one of its victims.

Part of the hacker group’s campaign started earlier this month with a network intrusion at Twilio. The intrusion resulted in the hackers gaining access to the data of 125 Twilio customers and companies, including Signal, an end-to-end encrypted messaging app. From Signal alone, the hackers gained phone numbers and SMS verification codes from nearly 2,000 users.

The hackers then impersonated Twilio’s IT department, tricking employees into handing over sensitive credentials and two-factor codes.

Such a breach would already be a big deal, but according to cybersecurity company Group-IB, Twilio was only a single part of a much larger campaign. The cybersecurity company uncovered this during an investigation, which started after one of its customers ran into a linked phishing account.

The group of hackers responsible received the codename “0ktapus” for primarily targeting organizations using Okta. Okta is an identity and password management company that provides customers with forms of authentication, such as codes delivered via SMS through Twilio.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations,” Group-IB said. “Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

The phishing campaign included at least 169 unique domains and affected more than 130 organizations. Group-IB also reported that most targets were based in the US or have US-based staff, with more than 100 of the victim organizations being located in the US.

Additionally, it was found that almost 10,000 credentials have been stolen by the group since March.

While Group-IB did not disclose the well-known organizations affected by the hacking spree, it did reveal that most were IT, software development, and cloud services providers. However, the financial, retail, and video game industries were likewise affected.

Another revelation from Group-IB’s investigation was that the code in the phishing kit revealed details of the Telegram bot used to drop compromised data. That then led to one of the Telegram group’s admins known as “X,” who is suspected to reside in North Carolina.

Despite all of the information gathered, there is still much that remains unknown when it comes to the purpose and design of the hacking campaign. Group-IB said that it was unclear if the entire campaign was planned from start to finish or if each stage was taken step by step as opportunities presented themselves.

Additionally, with so many breaches and so much data revealed to the hackers, it will be hard to figure out the full scale of the campaign in the short term. Only one thing is truly certain, and that is the success of 0ktapus’s efforts.

By Spencer Hulse Spencer Hulse has been verified by Muck Rack's editorial team

Spencer Hulse is the Editorial Director at Grit Daily. He is responsible for overseeing other editors and writers, day-to-day operations, and covering breaking news.

Read more

More GD News