'0ktapus' hackers are back, targeting tech and gaming companies, leaked report says

Hackers who allegedly hit more than 130 organizations last year and stole the credentials of nearly 10,000 employees are still targeting several tech and gaming companies, report says obtained by TechCrunch.

The report, prepared by cybersecurity firm CrowdStrike, calls the hackers "Scattered Spider". In an earlier publicly available report, the company said this group was also known as "Roasted 0ktapus" in an apparent reference to the report published by Group-IB, another cybersecurity firm, last year.< /p>

Reports like the one obtained by TechCrunch are prepared by threat intelligence firms for their customers, with the aim of alerting them to hackers who are directly targeting customers or other companies in the same industry. In the report, CrowdStrike notes that it has limited visibility into the hacking campaign given that it has no “additional forensic artifacts,” referring to data it obtained directly from targeted organizations. . That's why the company admits it has "low confidence" in its assessment that this is Scattered Spider activity.

Two cybersecurity insiders, who asked to remain anonymous because they were not authorized to speak to the press, said it is understood within the industry that Scattered Spider is the same group as 0ktapus.

"Scattered Spider continued to deploy numerous phishing pages in January 2023. CrowdStrike Intelligence believes that the adversary likely expanded its target perimeter to include technology companies specializing in gaming or financial software, while primarily focusing on business process outsourcing (BPO) companies and mobile phone providers,” reads the report, which is not publicly available.

It's unclear if this is the same group that hacked into Riot Games last month, but in a list of phishing domains included in the CrowdStrike report, there is one that was clearly designed to target the gaming giant given that it includes the company name in the URL.

Among the phishing domains, there are also others designed to impersonate video game makers Roblox and Zynga, email marketing and newsletter giant Mailchimp and its parent company Intuit, Salesforce , Comcast and Grubhub. TaskUs, a contractor that provides customer service to companies such as Mailchimp, Intuit and other tech giants, was also on the list.

In January, Mailchimp revealed it had been hacked - the second hack against the company in six months. At the time, Mailchimp said hackers targeted its employees via phishing. It is unknown if this incident is related to the activities of Scattered Spider. Mailchimp did not respond to a request for comment.

Riot declined to comment.

Salesforce spokesperson Allen Tsai said the company is "aware of and monitoring industry-wide phishing campaigns."

"At this time, we have no indication of unauthorized access to customer data relevant to the cited report," Tsai said in an email.

An Intuit spokesperson did not comment because they had not seen the report.

Roblox, Zynga, TaskUs, Comcast and Grubhub did not immediately respond to a request for comment.

The report states that "the majority" of the hacking group's phishing pages were designed to mimic Okta login portals, "while a much smaller number impersonated Microsoft".

>

CrowdStrike did not respond to a request for comment.

Are you a Google Fi subscriber who also experienced a similar attack? Did you also receive a personalized notification from the company regarding the hack against you? We would love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.