Octo Tempest [1] [2] [3] [4] [5] [6] [7], also known as Scatter Swine or UNC3944 [1], is a financially motivated threat actor that targets technical administrators through social engineering tactics.


Octo Tempest employs various methods to gain initial access, including social engineering calls [5] [6], purchasing employee credentials or session tokens on the criminal underground market [2] [7], SMS phishing [3] [4] [5] [7], SIM swaps [2] [5], and call forwarding [5]. They also resort to intimidation tactics [5], such as physical threats, to coerce victims into sharing credentials [2] [7]. Extensive research is conducted by Octo Tempest to gather information on network infrastructure and password policies. They elevate their privileges through SIM swaps [5], social engineering [1] [2] [4] [5] [6] [7], and stolen organizational procedures [5]. The group utilizes adversary-in-the-middle (AiTM) techniques [2], compromising VMware ESXi infrastructure and using the open-source Linux backdoor Bedevil [2] [7], to gather more credentials and compromise security personnel accounts [5], disabling security features [5]. Endpoint detection and response and device management technologies are leveraged by Octo Tempest to deploy malicious software, steal sensitive files [5], and remove security products [5].

Octo Tempest’s targets initially included mobile telecommunication providers and business process outsourcing organizations [2] [7], but they have expanded to email and tech service providers, gaming [2] [3] [4] [5] [6] [7], hospitality [2] [7], retail [2] [7], managed service providers [2] [7], manufacturing [2] [7], technology [2] [5] [7], and financial sectors [2] [7]. They have also become an affiliate for the BlackCat ransomware gang [2] [4] [7]. Their attacks aim to steal cryptocurrency and exfiltrate data for extortion and ransomware deployment [2]. Octo Tempest’s extensive technical expertise allows them to navigate complex hybrid environments [2]. Their attacks are well-organized and indicate extensive technical depth and multiple operators [1].


Organizations need to actively prepare for the threats posed by Octo Tempest. Measures should be taken to strengthen security protocols, educate employees about social engineering tactics, and implement robust endpoint detection and response systems. The impacts of Octo Tempest’s attacks can be severe, including the theft of sensitive data and financial losses. Mitigations should focus on proactive defense strategies and continuous monitoring of network infrastructure. As Octo Tempest continues to evolve and expand their targets, it is crucial for organizations to stay vigilant and adapt their security measures accordingly.


[1] https://www.darkreading.com/remote-workforce/microsoft-0ktapus-cyberattackers-evolve-most-dangerous-status
[2] https://thehackernews.com/2023/10/microsoft-warns-as-scattered-spider.html
[3] https://cybernow.info/digital-spider-web-evolution-scattered-spider-cyber-threat/
[4] https://techkranti.com/26-oct-23-in-security-news-today/
[5] https://siliconangle.com/2023/10/26/microsoft-warns-octo-tempest-one-dangerous-financial-criminals-groups/
[6] https://cybersecurity-see.com/meet-octo-tempest-the-infamous-and-menacing-financial-hackers/
[7] https://www.redpacketsecurity.com/microsoft-warns-as-scattered-spider-expands-from-sim-swaps-to-ransomware/