Microsoft has identified the native English-speaking group Octo Tempest as one of the most dangerous financial hacking groups. Octo Tempest has evolved from selling SIM swaps and stealing accounts to conducting phishing attacks, data theft, and ransomware attacks. They target organizations in various sectors and have partnered with the ALPHV/BlackCat ransomware group. Earlier this year, the threat group attacked companies in the gaming, hospitality, retail, manufacturing, technology, and financial sectors, as well as managed service providers (MSPs).
The group uses advanced social engineering techniques, physical threats, and multiple methods for initial access. They escalate privileges, explore infrastructure, and hide their presence on the network. Detecting Octo Tempest is challenging due to its use of social engineering and diverse tooling. They are financially motivated and engage in cryptocurrency theft, data extortion, and ransomware attacks.
As an insight on how they operate, to escalate privileges, the threat actor again turns to social engineering, SIM-swapping, or call forwarding and initiates a self-service password reset of the target’s account.
During this step, the hackers build trust with the victim by using compromised accounts and demonstrating an understanding of the company’s procedures. If they have a manager’s account, they approve requests for increased permissions themselves.
Why do we care?
With managed services providers being called out specifically, I wanted to highlight this report. The group’s sophisticated use of social engineering—including SIM-swapping and impersonation of managers—makes them particularly hard to detect and counter. MSPs need to incorporate behavioral training for staff in recognizing social engineering attempts, beyond just relying on technology solutions. The key defense is less about tools and more about your people.
