Skip to main content Link Search Menu Expand Document (external link)
LIS 640

Week 4 Studio: Oktapus

This week, we are going to look into a case study of a broad attack that targetted over 130 organizations. All of these organizations use two-factor authentication for their employees – they require employees to have both a strong password that is hard to guess, as well as a one-time code from an authentication app in order to log into the company’s computers. These attackers found a way to get both the password and the code from employees at most of the organizations and use that to access the computers at the organizations. Cybersecurity researchers have called this attack “Oktapus” because most of these companies use two-factor technology made by a company called “Okta” (which, coincidentally, also is the two-factor technology used by Michigan State).

First, let’s start by reading an overview of the whole Oktapus attack, written by Brian Krebs, a reporter who specializes in cybersecurity: https://krebsonsecurity.com/2022/08/how-1-time-passcodes-became-a-corporate-liability/

Next, there are a couple of interesting blog posts that might help us. Two of the targets of the attack were Cloudflare and Twilio.

Cloudflare is a company that helps run the Internet; they do a lot of work for other companies to help protect them from large-scale cyberattacks, and also to help them scale up and handle larger numbers of users. They were targetted by the Oktapus hackers, and while 3 employees did enter their passwords, the hackers where not actually able to break into any accounts. They wrote up their experiences with Oktapus in this blog post.

Twilio is a customer engagement company that helps business keep track of their customers, contact and send them mails, deals, etc., and then track when customers buy things based on those contacts. They also own their own two-factor app, called Authy, which has millions of users. They were targetted by Oktapus, and a total of 309 of their users were compromised and had their accounts broken into. They wrote up their experiences with Oktapus in this blog post.

Both of these companies, as well as a number of other companies, worked with 3rd party cybersecurity companies to investigate this breach. The company that they worked with – Group IB – also wrote up a description of its findings for how the attackers worked, what they did, and what they were after in their own blog post.

Finally, an update from a year and a half later from Brian Krebs. They caught someone that they claim is part of the group that did this attack: https://krebsonsecurity.com/2024/01/fla-man-charged-in-sim-swapping-spree-is-key-suspect-in-hacker-groups-oktapus-scattered-spider/

Part 1: Understand the Case

Let’s use the skills we’ve been developing to understand this case. Start by reading the article and blog posts I linked above. You can skim the blog posts from the 3 companies – right now, they contain a lot of irrelevant information, but they also do contain some information that is useful. You’ve read through a number of case studies, and are starting to get a better gut feeling for what information is important and what information isn’t. Trust your gut; you can always go back and look again later.

Pick one of the victims – either CloudFlare or Twilio – and focus specifically on that victim and the attack on that company. Let’s go through the same process we have been doing for the last couple of weeks to map out and understand what is happening:

  1. Figure out who the relevant actors are. We’ve got the attackers (Oktapus), the victim, additional defenders, etc. Fill out an actors and motivations worksheet for each of them to try to think through who was doing what, and why they did what they did.

  2. Figure out the attack, and what vulnerability enabled the attack.
    Grab the vulnerability worksheet if you think it’ll help and fill it out, trying to understand what the weakness was that these attackers were trying to exploit. Hint: all of the news reports called it a “social engineering” attack, which suggests that the perceived weakness was probably something that human beings do, not some technical vulnerability.

Don’t spend too long on this. Details help, but all of this work is really to help you gain a basic understanding of what happened. You should hopefully be getting faster and better at these tasks as you practice them every week.

Part 2: Why the defenders did this

I linked to two companies that were attacked: Twilio and Cloudflare. Twilio was successfully compromised; the attacker was able to successfully steal credentials, fake a two-factor (at times), and get into Twilio’s systems to steal customer data. Cloudflare, on the other hand, reported that while they were targetted by the same attack, “no Cloudflare systems were compromised”. The reason they gave is that they use security keys (physical devices like Yubikey) instead of SMS codes or an app that generates codes. There were actually a number of other companies that were also compromised like Twilio (but were not as transparent about it).

Obviously, both companies have access to technologies that could stop this attack, since the security keys that Cloudflare used are a 3rd party’s product from Yubikey. Cloudflare chose to use them, and Twilio did not.

Additionally, look at the training of the users. Both companies had employees’ passwords stolen. Twilio reported that data from 125 customer accounts were accessed (Group-IB claims 163 customer accounts). Cloudflare reported that 3 employees had their credentials stolen, but the company says that the attackers were not able to successfully login, and their other protective actions worked to prevent compromise.

Why do you think this is? Why did Twilio choose not to require the use of security keys? Alternatively, why did Cloudflare choose to use them? Both of these are technology companies that deal in computer security regularly. I doubt that the problem was that Twilio didn’t know about security keys.

Take this question seriously. What is it that made the same attack against Twilio work so much better than the attack against Cloudflare? Why would Twilio make different security decisions than Cloudflare?

Work with your partner/team to:

  • Brainstorm possisble reasons. Don’t stop at the first one you come up with. Make a list, and write it down, of as many reasons you can think of why each company may have acted the way they did.
  • Once you have a list, go back and look for evidence. Can you find any evidence whether any of those reasons is right or not?
  • Guess. Most likely, you haven’t figured out the answer in a way that you can support with evidence. At this point, use your gut feelings and intuition to make a best guess. You can assign probabilities if you like – for each possible explanation, what do you think is the probability that that is the reason?

Part 3: Individual decisions

As part of the attack, individual employees had to make hard decisions. They received this text message, purportedly from their employer. We don’t know who those employees are – the companies mercifully did not release their names or information. However, we can think about why they might have made the decisions that they did.

This week, we talked about a number of “mental models” of security / encryption, and we also talked about a number of “heuristics and biases” that affect how people make decisions.

Go though those, and examine whether any of those might have contributed to individual employees falling for this attack. Which heuristics might lead an employee to trust such a text message? Are there reasonable mental models that might lead someone to click on the link in that message? Are there biases that might make it difficult for employees?

Make a list. We don’t have many details about the actual employees that fell for this, but we can speculate about potential causes.

Also, think about the two compnanies – Twilio and Cloudflare. Are there differences between them that might lead to different heuristics/biases/mental models?

I mentioned earlier in the semester that, often, one of the goals of reading a case like this is to try to identify what we might do different in the future to prevent similar attacks. As the final task for the day, imagine that you were trying to great a “training program” to teach employees what they need to know to not fall for these attacks. These employees have all heard about the attack, so they already know that it is possible. What do you think you can tell them to help them avoid such attacks in the future?