Octo Tempest cybercriminal group is “a growing concern”—Microsoft

Octo Tempest is believed to be a group of native English speaking cybercriminals that uses social engineering campaigns to compromise organizations all over the world.

Initially the group made a name for itself by SIM swapping. SIM swapping, also known as SIM jacking, is the act of illegally taking over a target’s cell phone number. This can be done in a number of ways, but the most common ones involve social engineering attacks on the victim’s carrier.

In a security blog about Octo Tempest Microsoft states:

“Octo Tempest monetized their intrusions in 2022 by selling SIM swaps to other criminals and performing account takeovers of high-net-worth individuals to steal their cryptocurrency.”

Since then the group has expanded its range of activities to include targeting organizations providing cable telecommunications, email, and tech services, and partnering with the ALPHV/BlackCat ransomware group.

In our monthly ransomware reviews you will typically see ALPHV as the world’s third most used ransomware-as-a-service (RaaS).

ALPHV was the third most used RaaS between October 2022 – September 2023

ALPHV is a typical RaaS group where several criminal organizations work together to extort victims for data theft and/or encryption of important files. ALPHV provides the ransomware, the infrastructure for negotiating ransoms, and a dark web site where stolen data is leaked. The service is used by criminal gangs called affiliates who actually carry out attacks.

As an ALPHV affiliate, Octo Tempest focused its deployments primarily on VMWare ESXi servers and other complex hybrid environments.

Microsoft reports that in doing so, Octo Tempest progressively broadened the number of industries it targeted for extortion, including natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services. 

Having Octo Tempest as an affiliate brings specialized knowledge to ALPHV, such as SMS phishing, SIM swapping, and advanced social engineering techniques. The group includes members with extensive technical knowledge and multiple hand-on-keyboard operators.

Its social engineering attacks target accounts that have sufficient administrator rights to build out an impactful attack. For example, to keep their tracks hidden, Octo Tempest will target the accounts of security personnel, which allows them to disable security products and features.

The group uses all kinds of social engineering attacks and, as a last resort, they do not shy away from threatening targets with physical violence if they fail to comply.

A unique technique used by Octo Tempest is to use the data movement platform Azure Data Factory, and automated pipelines, to extract data to external servers, aiming to blend in with typical big data operations.

Similar to that the group uses many Living off the land (LOTL) techniques that make it hard to spot its activities. One of Microsoft’s recommendations is to keep close tabs on administrative changes in your environment.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.