The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Inside a cyberattack method that targets your cellphone

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Tell all your friends to sign up, won't you please? It will make them cool.

Below: A Senate committee advances legislation focusing on open-source software cybersecurity, and a top U.K. official warns that Russian President Vladimir Putin could take more cyber risks. But first:

Is it really Okta? Or is it actually 0ktapus?

A recent spree of “smishing” attacks points to what some experts anticipate will be a wider threat in the future.

The technique, which claims victims at Twilio and targeted others at Cloudflare, combines text messages intent on luring victims into clicking on a link, leans on the ubiquity of smartphones, seeks to manipulate human nature, and works around an increasingly common defensive measure.

A campaign that relied on the technique gathered steam this summer and targeted more than 130 companies, according to a report from cyberfirm Group-IB last month. The attackers compromised nearly 10,000 user credentials.

The technique works like this:

  • Hackers send phony text messages to prospective victims, luring them to click on a link by pretending to be, say, a member of their employers’ IT team telling them that their password had expired or their schedule had changed. Typically known as “phishing” when the lures arrive via email, this is known as “smishing” because it’s a portmanteau of “phishing” and “SMS,” commonly known as texting.
  • The link leads to a fake Okta site or another tool that verifies a sign-in, known as multifactor authentication or MFA. (Group-IB named the campaign in its report 0ktapus because of the Okta angle.)
  • Once the hackers get the code that their victim unwittingly gives them, they’re able to roam around in the victims’ networks.

The Group-IB figures are dramatic, said Ryan Olson, vice president of threat intelligence at Palo Alto Networks’ Unit 42.

“That means they had success on like 70 individuals per company on average, and I don’t know what all the companies are or how big they are, but that was extremely successful for a phishing attack,” Olson told me. “If you were to send a phishing attack over email, you’re lucky if one in a 1,000 people even sees the email and makes it through the filters, let alone click on it, let alone type in their multifactor authentication code as well. That’s a huge amount of success.”

Olson said his company has already seen copycats of the original campaign and expects it to expand, a view others in the cyber field share.

“It’s going to grow,” predicted Angelos Stavrou, founder and chief science officer at Quokka, a mobile privacy company known until recently as Kryptowire.

Why it works

In most cases, people don’t have as many defenses on their personal phones to block malicious messages as a large organization has on their work emails, Olson said. (Separately, the IRS warned about smishing attacks Wednesday.)

Smishing is a lesser known threat, and people are more accustomed to clicking on text messages, some of which their employer might send, Olson said. And attackers have learned that they can spam requests for MFA log-in codes and some people will eventually give in, which is apparently what happened in this month’s Uber breach.

MFA is a well-regarded defensive technique touted by federal officials and major tech companies alike, but as it has grown more common, “MFA fatigue” has taken hold. Often, users just want to make the messages stop and clicking on them is the quickest way. But Olson said you don’t need to be a dummy to fall for the trick.

Often users don’t trigger an MFA request until they sign into a system they use at work. But Olson himself recently got an MFA message because he had timed out of a system that was idle on his computer. Some office workers, in other words, get routine prompts to reauthorize.

For Stavrou, the reason it works is the steady escalation of defense and offense, and how everyday users respond.

“As we become more advanced, the adversary has become more advanced,” he told me. “The information that the user is presented with is increasing faster than they can handle.”

While 0ktapus focused on Okta, Palo Alto Networks has seen campaigns centered on other authentication tools as well, like Duo or Microsoft 365.

The risks and the fixes

There are some limits to the attack method. It requires hackers to use a login code within a certain amount of time, but Olson said that process is likely automated. The overall technique, according to Group-IB and others, doesn’t require major skills.

What can the hackers do to victims if successful? “Recent disclosures reveal that the initial compromises were just part of the attack,” Group-IB noted, pointing to the potential to steal cryptocurrency or use stolen information to launch attacks on other victims.

Some keys to fending off the attacks include physical devices like the Yubikey, which make it harder for hackers to intercept identity verification; reliance on apps like Google Authenticator rather than text messages for authentication codes; or employee awareness programs.

Until then, “anytime a technique shows this much success, other threat actors will copy it,” Olson said.

The keys

Senate committee advances legislation to help secure open-source software

The bill seeks to tackle issues raised by a sweeping flaw in the log4j software library last year by having U.S. government agencies review the risk in systems that rely on software maintained by volunteers. Sens. Gary Peters (D-Mich.) and Rob Portman (R-Ohio), the top senators on the Senate Homeland Security and Governmental Affairs Committee, introduced the legislation last week.

The log4j vulnerability swept open-source software security into the spotlight last year. CISA Director Jen Easterly called it the “most serious vulnerability I have seen in my decades-long career,” but organizations didn’t immediately see any massively destructive hacks as feared. However, Log4j remains an “endemic vulnerability,” and “vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer,” a Department of Homeland Security panel said in July.

Top U.K. official warns of Russian cyberattacks

Lindy Cameron, the chief executive of Britain’s National Cyber Security Center, warned at an event that Russia may be unpredictable in cyberspace and that organizations need to keep being on alert for Russian hacks, the Financial Times’s John Paul Rathbone reports. “There is still a real possibility that Russia could change its approach in the cyber domain and take more risks,” Cameron said.

Cameron also noted that Russia’s cyber operations have been intense. “We haven’t seen ‘cyber Armageddon.’ But … what we have seen is a very significant conflict in cyberspace — probably the most sustained and intensive cyber campaign on record,” she said.

Cameron’s warning echoes similar warnings from Washington, where Easterly reiterated that firms should have their “shields up,” and make sure that they’re ready for potential Russian cyberattacks.

House Republicans ask Justice Department about response to hacks on Christian groups amid abortion furor

Thirteen Republicans on the House Oversight and Reform Committee asked Attorney General Merrick Garland to provide a briefing on the Justice Department’s efforts to investigate hacks of Christian organizations and donation sites. Their letter foreshadows a potential line of inquiry by Republicans, who could take control of the House in November and launch their own investigations.

The signatories of the letter included Rep. James Comer (Ky.), the committee’s top Republican, and the top Republicans on all five of the committee’s panels. They cited hacks targeting the Texas Republican Party’s website, Christian crowdfunding website GiveSendGo and evangelical groups supporting the Supreme Court’s overturning of Roe v. Wade.

“The Department of Justice must investigate these attacks, which are likely unlawful and clearly intended to chill the right of our citizens to peacefully express their opinions on matters of public importance as well as donations to conservative or religious organizations,” the lawmakers wrote in the letter. “Citizens in this country should be free to exercise their rights without fear of malicious cyberattacks.” A Justice Department spokesman declined to comment.

Global cyberspace

Can Kaspersky survive the Ukraine war? (CyberScoop)

Australia demands Optus pay for new customer ID documents (Associated Press)

Israeli firm to sell social media-tracking software to Orban’s Hungary (Times of Israel)

Government scan

Treasury seeks comment on how to structure a cyber insurance program (NextGov)

Cyber insecurity

Stealthy hackers target military and weapons contractors in recent attack (Bleeping Computer)


  • The U.S. Naval Institute hosts an event on cyberthreats and disinformation today at 10:30 a.m.
  • Reps. Frank Pallone Jr. (D-N.J.) and Cathy McMorris Rodgers (R-Wash.), the top ranking members on the House Energy and Commerce Committee, discuss privacy legislation at a Washington Post Live event today at 11 a.m.
  • The Global Tech Security Commission hosts Commerce Secretary Gina Raimondo for a discussion about implementation of the Chips and Science Act today at 11:15 a.m.

Secure log off

Thanks for reading. See you tomorrow.