UNC3944, a financially motivated threat group linked to "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider," has evolved its tactics to include data theft from SaaS applications, persistence mechanisms in virtualization platforms, and lateral movement via SaaS permissions abuse. Active since at least May 2022, the group initially focused on credential harvesting and SIM swapping before shifting to data theft extortion.
Key tactics include leveraging social engineering against corporate help desks to gain access to privileged accounts, exploiting Okta permissions for broader access, and creating virtual machines for persistent attacks. They also used cloud synchronization tools for data exfiltration and targeted Active Directory Federated Services for easier access to cloud applications.
UNC3944's shift to SaaS applications involved unauthorized access to platforms like vCenter, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and GCP. They used tools like Airbyte and Fivetran for data theft and leveraged Microsoft Office Delve for quick reconnaissance within M365 environments.