What 0ktapus taught us about cyberattacks on the Russian government: The impact of Twilio on Okta and other companies
The year’s worst hacks, leaks, and digital takeovers are what WIRED’s look back on. The first years of the 2020s show that the digital security field will be more bizarre in the years to come. Stay alert and stay safe out there.
For years, the Russian Government has wreaked havoc on Ukraine with their digital attacks, including hacking into the country’s computer network and releasing destructiveware to cause havoc. Since invading Ukraine in February, though, times have changed for some of Russia’s most prominent and most dangerous military hackers. Shrewd long-term campaigns and grimly ingenious hacks have largely given way to a stricter and more regimented clip of quick intrusions into Ukrainian institutions, reconnaissance, and widespread destruction on the network—and then repeated access over and over again, whether through a new breach or by maintaining the old access. The Russian playbook on the physical battlefield and in cyberspace seems to be the same: one of ferocious bombardment that projects might and causes as much pain as possible to the Ukrainian government and its citizens.
More than 130 organizations were compromised in the summer by a group of researchers dubbed 0ktapus (also sometimes called “Scatter Swine”). Many of the victim institutions were in the US, but there were many more in other countries as well. The attackers primarily texted targets with malicious links that led to fake authentication pages for the identity management platform Okta, which can be used as a single sign-on tool for numerous digital accounts. The hackers’ goal was to steal Okta credentials and two-factor authentication codes so they could get access to a number of accounts and services at once.
One company hit during the rampage was the communications firm Twilio. At the beginning of August it was hit by a security breach, affecting 163 of its customer organizations. Twilio is a big company, so that only amounted to 0.06 percent of its clients, but sensitive services like the secure messaging app Signal, two-factor authentication app Authy, and authentication firm Okta were all in that slice and became secondary victims of the breach. One of the knock-on effects of the incident was that attackers were able to compromise two-factor authentication codes and access user accounts of some Twilio customers, which is a problem since Twilio offers a platform for automatically sending out text messages.
In recent years, countries around the world and the cybersecurity industry have increasingly focused on countering ransomware attacks. While there has been some progress on deterrence, ransomware gangs were still on a rampage in 2022 and continued to target vulnerable and vital social institutions, including health care providers and schools. The Russian-speaking Vice Society is an organization that has focused its attacks this year on the education sector. The group had a very important fight with the Los Angeles Unified School District at the beginning of September in which the school refused to pay any attackers, despite the fact that it’s digital networks went down. LAUSD was a high-profile target, and Vice Society may have bitten off more than it could chew, given that the system includes more than 1,000 schools serving roughly 600,000 students.
The US Cybersecurity and Infrastructure Security Agency, the FBI, and the Department of Health and Human Services put out a warning about the Russia-linked gang of cyber criminals known as HIVE. The agencies said the group’s ransomware has been used to target over 1,300 organizations around the world, resulting in roughly $100 million in ransom payments from victims. “From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors,” the agencies wrote, “including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health.”
The digital extortion gang Lapsus$ was on an intense hacking spree at the beginning of 2022, stealing source code and other sensitive information from companies like Nvidia, Samsung, Ubisoft, and Microsoft and then leaking samples as part of apparent extortion attempts. Lapsus$ has a sinister talent for phishing, and in March, it compromised a contractor with access to the ubiquitous authentication service Okta. British police arrested seven people associated with the attackers at the end of March, and charged two at the beginning of April, as the group was based primarily in the United Kingdom. The group came back to life in September, breaching the ride-share platform and the developer of Grand Theft Auto as well. On September 23, police in the UK said they had arrested an unnamed 17-year-old in Oxfordshire who seems to be one of the individuals previously arrested in March in connection with Lapsus$.
In December, LastPass revealed that it had disclosed a worse-than-expected August password hack at the end of November, compromising some users passwords on top of more personal information. The company has had to make another disclosure to detail the second incident in which attackers were able to get into the company’s cloud storage and steal sensitive data. Attackers gained such extraordinary access by targeting a specific LastPass employee with deep system privileges
A roundup of security news in the week after the unveiling of the 2016 UAV drone security project – Part I: The pressing issues
Researchers from the German research center for information security and the Ruhr University’s department of electrical and computer engineering showed how they were able to reverse engineer the radio signals of drones being sold by the leading manufacturer of consumer drones. By deconstructing this signal, the researchers could see that every DJI drone’s DroneID communications transmit not only its own GPS location and a unique identifier for that drone, but also the GPS coordinates of its operator.
The Association of Southeast Asian Nations’ email server was compromised in February 2022, Beijing-backed hackers are believed to have been responsible and this week new findings show that. As tensions rise in the region, a security alert has been first reported by WIRED.
Meanwhile, as the war in Ukraine rages on and Russia faces an array of economic sanctions from international governments, the Kremlin is working to address gaps in its tech sector by scrambling to get a home-brewed Android phone off the ground this year. The National Computer Corporation company, a Russian IT giant, says it will somehow produce and sell 100,000 smartphones and tablets by the end of 2023. It is possible that the license for the new Russian phone will be restricted, this will force the project to look for a different mobile operating system.
The White House unveiled a national cybersecurity plan on Thursday. It focuses on priorities like digital defences for critical infrastructure, but also includes proposals to transition legal liability for cybersecurity vulnerabilities and failures onto companies that don’t make an effort to protect sensitive data.
If you want to do something good for your cyber-hygiene this weekend, we’ve got a roundup of the most pressing software patches to download ASAP. Seriously, go install them now, we’ll wait here.
There’s more. We cover security news in-depth ourselves, but we do not round it up every week. Click the headlines to read the full stories, and stay safe out there.