Over 130 organizations affected by Okta Hackers’ Twilio and Cloudflare breach

Share This Post

The activity has been condemned 0ktapus by Group-IB because the initial goal of the attacks was to “obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations.”

The threat actor behind the attacks on Twilio and Cloudflare earlier this month has been linked to a broader phishing campaign aimed at 136 organizations that resulted in a cumulative compromise of 9,931 accounts.


  • An extensive phishing campaign that targeted 136 organisations and resulted in the compromise of 9,931 accounts has been traced to the threat actor responsible for the assaults on Twilio and Cloudflare earlier this month.

  • Calling the attacks well designed and executed, the Singapore-headquartered company said the adversary singled out employees of companies that are customers of identity services provider Okta.

The Singapore-based company claimed the attacker sought out employees of businesses that use identity services provider Okta, calling the attacks carefully designed and conducted.

The attacks’ primary objective was to “collect Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organisations,” which is why Group-IB has denounced the conduct.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations,” Group-IB said. “Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

The threat actor responsible for this month’s attacks on Twilio and Cloudflare has been connected to a larger phishing effort that targeted 136 businesses and ultimately led to the compromise of 9,931 accounts.

Group-IB has denounced the action since the attacks’ primary objective was to “collect Okta identification credentials and two-factor authentication (2FA) codes from users of the targeted organisations.” The Singapore-based corporation said the attacker targeted workers of businesses that use Okta, a provider of identity services, and praised the attacks for their well-thought-out design and execution.

According to reports, at least 169 different phishing domains have been created for this purpose, with the majority of the victim organisations being based in the United States (114), India (4), Canada (3), France (2), Sweden (2), and Australia (1), among other countries. These websites shared a commonality in that they each made use of an undocumented phishing kit. Software companies make up the majority of the affected businesses, followed by those in the telecom, business services, banking, education, retail, and logistics industries. Along with Twilio and Cloudflare, other confirmed victims include MailChimp and Klaviyo.

The organisations AT&T, KuCoin, Mailgun, Metro PCS, Slack, T-Mobile, and Verizon were also targeted, according to an examination of the 0ktapus phishing websites. Later supply chain attacks against Signal (through Twilio) and DigitalOcean used these beaches as a launching point (via MailChimp). The assaults are noteworthy because they disseminated the compromised data, which included user credentials, email addresses, and multi-factor authentication (MFA) codes, over a Telegram channel that was under the control of an actor.

Additionally, the attempts to get into Signal accounts suggest that the attackers are also attempting to obtain sensitive information such as private conversations. It is yet unknown how the hackers managed to get access to employee names and phone numbers. “While the threat actor may have been lucky in their attacks it is far more likely that they carefully planned their phishing campaign to launch sophisticated supply chain attacks,” Group-IB analyst Roberto Martinez said.

Although the campaign’s ultimate goals are still unknown, it is believed to be espionage- and financially-motivated, giving the threat actor access to private information, proprietary information, and corporate inboxes as well as the ability to steal money. One of the channel administrators who goes by the alias X, according to Group-IB, was connected to a Twitter and GitHub account that suggests the person may be based in the American state of North Carolina.

Read More:

Partnership Between Mitsubishi Electric and Nozomi Networks Strengthens Operational Technology Security Business

Mitsubishi Electric and Nozomi Networks Partnership Mitsubishi Electric and Nozomi...

Solidion Technology Inc. Completes $3.85 Million Private Placement Transaction

**Summary:** 1. Solidion TechnologyInc. has announced a private placement deal...

Analyzing the Effects of the EU’s AI Act on Tech Companies in the UK

Breaking Down the Impact of the EU’s AI Act...

Tech in Agriculture: Roundtable Discusses Innovations on the Ranch

Summary of Tech on the Ranch Roundtable Discussion: ...

Are SMEs Prioritizing Tech Investments Over Security Measures?

SMEs Dive Into Tech Investments, But Are...

Spotify Introduces Music Videos for Premium Members in Chosen Markets

3 Summaries of Spotify Unveils Music Videos for Premium...

Shearwater to Monitor Production at Equinor’s Two Oil Platforms

Shearwater GeoServices secures 4D monitoring projects from Equinor for...

Regaining Europe’s Competitive Edge in Innovation: Addressing the Innovation Lag

Europe’s Innovation Lag: How Can We Regain Our Competitive...

Related Posts

Government Warns of AI-Generated Content: Learn More about the Issue

Government issued an advisory on AI-generated content. All AI-generated content...

Africa Faces Internet Crisis: Extensive Outage Expected to Last for Months, Hardest-Hit Nations Identified

Africa’s Internet Crisis: Massive Outage Could Last Months, These...

FTC Investigates Reddit for AI Content Licensing Practices

FTC is investigating Reddit's plans...

Journalists Criticize AI Hype in Media

Summary Journalists are contributing to the hype and...