The hackers who reportedly affected more than 130 organizations last year and stole the credentials of nearly 10,000 employees are still targeting several tech and video game companies, according to a report obtained by TechCrunch.
The report, prepared by cybersecurity firm CrowdStrike, calls the hackers “Scattered Spider.” In a previously publicly available report, the company said that this group is also known as “Roasted 0ktapus” in a clear reference to the report published last year by Group-IB, another cybersecurity firm.
Reports like the one obtained by TechCrunch are prepared by threat intelligence companies for their clients, with the idea of alerting them to hackers targeting either the clients directly or other companies in the same industry. In the report, CrowdStrike notes that it has limited visibility into the hacking campaign, as it has no “additional forensic artifacts,” referring to data it obtained directly from targeted organizations. Therefore, the company admits it has “little confidence” in its assessment that this is Scattered Spider activity.
Two cybersecurity insiders, who wished to remain anonymous because they were not authorized to speak to the press, said the industry understands that Scattered Spider is the same group as 0ktapus.
“Scattered Spider continued to deploy numerous phishing pages in January 2023. CrowdStrike Intelligence assesses that the attacker has likely expanded its target area to include companies in the technology sector that specialize in gaming or financial software, rather than targeting business process outsourcing (BPO) and mobile phone companies. providers,” the report says, which is not publicly available.
It’s unclear if this is the same group that hacked into Riot Games last month, but a list of phishing domains in the CrowdStrike report is one that was clearly made to target the video game giant, as the company’s name is in it the URL.
Phishing domains include others created to impersonate video game makers Roblox and Zynga; email marketing and newsletter giant Mailchimp and its parent company Intuit; Sales team; Comcast; and Grubhub. TaskUs, a contractor that provides customer service to companies including Mailchimp, Intuit and other tech giants, was also on the list.
In January, Mailchimp announced it had been hacked – the second hack against the company in six months. At the time, Mailchimp said the hackers had targeted its employees through phishing. It is unclear if this incident is related to Scattered Spider’s activities. Mailchimp did not respond to a request for comment.
Riot declined to comment.
Salesforce spokesperson Allen Tsai said the company is “aware of and monitoring phishing campaigns across the industry.”
“At this time, we have no indication of unauthorized access to customer data relevant to the cited report,” Tsai said in an email.
An Intuit spokesperson declined to comment because they had not seen the report.
Roblox, Zynga, TaskUs, Salesforce, Comcast and Grubhub did not immediately respond to a request for comment.
The report said that “the majority” of the hacking group’s phishing pages were designed to impersonate Okta login portals, “while a much smaller number impersonated Microsoft.”
CrowdStrike did not respond to a request for comment.
Are you a Google Fi subscriber who was also a victim of a similar attack? Did you also receive a personalized notification from the company about the hack against you? We’d love to hear from you. You can safely contact Lorenzo Franceschi-Bicchierai on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email firstname.lastname@example.org. You can also contact TechCrunch via SecureDrop.