{ "id": "d487db98-7dc7-42ac-8f7e-09882568aac2", "created_at": "2026-04-06T00:14:34.450461Z", "updated_at": "2026-04-10T13:11:54.742203Z", "deleted_at": null, "sha1_hash": "04c0b84c975f8b02c37c946299b542336b2ebb68", "title": "Detecting Scatter Swine: Insights into a Relentless Phishing Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64401, "plain_text": "Detecting Scatter Swine: Insights into a Relentless Phishing\r\nCampaign\r\nBy Defensive Cyber Operations\r\nPublished: 2022-08-25 · Archived: 2026-04-05 12:36:08 UTC\r\nSummary\r\nTwilio recently identified unauthorized access to information related to 163 Twilio customers, including\r\nOkta. Access was gained to internal Twilio systems, where data of some Okta customers was accessible to\r\na threat actor (detailed below).\r\nOkta has determined that a small number of 1) Mobile phone numbers and 2) Associated SMS messages\r\ncontaining one-time passwords (“OTPs”) were accessible to the threat actor via the Twilio console.\r\nOkta has notified any customers where a phone number was visible in the console at the time the console\r\nwas accessed.\r\nThere are no actions necessary for customers at this time. Details regarding this access, our response, and\r\nbest practices can be found below.\r\nIn recent months, a number of technology companies were subject to persistent phishing campaigns by a threat\r\nactor we refer to as “Scatter Swine”.\r\nOkta’s Defensive Cyber Operations (DCO) has proactively notified these companies when we have observed\r\nphishing infrastructure deployed by this threat actor, among others. It is commonplace for DCO to detect Scatter\r\nSwine repeatedly targeting the same organizations with multiple phishing sites within a matter of hours.\r\nOn the evening of Sunday, August 7, 2022, Twilio disclosed that a number of Twilio customer accounts and\r\ninternal applications were accessed in attacks that resulted from one or more of these phishing campaigns.\r\nOkta offers customers a range of authenticators to choose from, including the use of SMS for the delivery of one-time codes. Twilio provides one of two services Okta leverages for customers that choose to use SMS as an\r\nauthentication factor.\r\nOn August 8, 2022, Twilio provided an initial notification to Okta, to inform us that unspecified data relevant to\r\nOkta was accessed during Twilio’s incident.\r\nOkta prioritized routing of SMS-based communications to an alternative provider while we worked with Twilio’s\r\nsecurity team to understand the scope and impact of the incident.\r\nThe Twilio security team supported our investigation by subsequently providing internal system logs which we\r\nwere able to use to correlate and identify the extent of the threat actor’s activity as it pertains to Okta customer\r\nhttps://sec.okta.com/scatterswine\r\nPage 1 of 6\n\ndata.\r\nUsing these logs, Okta’s Defensive Cyber Operations’ analysis established that two categories of Okta-relevant\r\nmobile phone numbers and one-time passwords were viewable during the time in which the attacker had access to\r\nthe Twilio console. A one-time passcode is valid for five minutes.\r\nA primary category (see “Targeted Activity” below) are those mobile phone numbers the threat actor searched for\r\ndirectly in the Twilio console.\r\nA secondary category (see “Incidental Exposure” below) are mobile phone numbers that can be considered\r\n‘incidental’ to the specific actions or objectives of the threat actor.\r\nOkta has notified customers with mobile phone numbers in both of the above categories.\r\nTargeted Activity\r\nThe threat actor searched for 38 unique phone numbers in the Twilio console, nearly all of which can be linked to\r\na single targeted organization.\r\nA review of logs provided to us by Twilio revealed that the threat actor was seeking to expand their access. We\r\nassess that the threat actor used credentials (usernames and passwords) previously stolen in phishing campaigns to\r\ntrigger SMS-based MFA challenges, and used access to Twilio systems to search for One Time Passwords sent in\r\nthose challenges.\r\nIncidental Exposure\r\nThe second category of exposed mobile phone numbers were incidental to this activity. Incidental, in this case, can\r\nbe defined as phone numbers that may have been present in the Twilio portal during the threat actor's limited\r\nactivity window. Okta's analysis reveals no indication that the threat actor targeted or used such mobile phone\r\nnumbers.\r\nThe threat actor performed their searches using Twilio administrative portals that (by default) list the most recent\r\n50 messages sent using Okta’s Twilio account.\r\nOkta usernames are not visible in Twilio logs.\r\nThe threat actor took no actions that indicated an intent to use access to this information, an observation we have\r\nverified via extensive investigation (described below).\r\nIntrusion Analysis\r\nAfter analyzing suspicious activity and identifying key TTPs used by the threat actor, Okta performed threat\r\nhunting across our platform logs during the time period that the threat actor was known to have had access to\r\nTwilio’s systems. Some example threat hunting searches are provided below.\r\nThis exercise uncovered an event in which the threat actor successfully tested this technique against a single\r\naccount unrelated to the primary target. The threat actor did not perform any additional actions once they had\r\nhttps://sec.okta.com/scatterswine\r\nPage 2 of 6\n\nvalidated this access, and returned to their prior activity.\r\nOutside of this isolated event, there is no evidence that the threat actor successfully used this technique to expand\r\nthe scope of its access outside of their primary target.\r\nTactics, Techniques and Procedures\r\nScatter Swine has directly targeted Okta via phishing campaigns on several occasions, but was unable to access\r\naccounts due to the strong authentication policies that protect access to our applications.\r\nOkta Security has observed the following TTPs (tactics, techniques and procedures) employed by Scatter Swine:\r\nThe threat actor makes use of infrastructure provided by Bitcoin-friendly provider Bitlaunch, providing\r\nservers from DigitalOcean, Vultr, and Linode.\r\nPreferred domain name registrars include Namecheap or Porkbun, both of which accept Bitcoin as\r\npayment.\r\nWe have observed the threat actor delivering phishing lures in bulk to individuals in targeted organizations\r\nvia text messages. We are aware of multiple instances where hundreds of messages were sent to employees\r\nand even to family members of employees.\r\nThe threat actor likely harvests mobile phone numbers from commercially available data aggregation\r\nservices that link phone numbers to employees at specific organizations.\r\nThe threat actor calls targeted individuals and impersonates support trying to understand how\r\nauthentication works. The accent of the threat actor appears to be North American, confident and clearly\r\nspoken.\r\nThe threat actor’s targets have included technology companies, telecommunications providers and\r\norganizations and individuals linked to cryptocurrency.\r\nThe threat actor predominately hosts self-contained, HTTP-based phishing infrastructure. Their sites do not\r\nuse TLS certificates.\r\nIf the threat actor successfully harvests user credentials during a SMishing (SMS phishing) campaign,\r\nattempts are made to authenticate using anonymizing proxy services. In this particular campaign the threat\r\nactor favored Mullvad VPN.\r\nThe phishing kit used by the threat actor is designed to capture usernames, passwords and OTP factors. We\r\nhave also observed the threat actor triggering multiple push notifications in an attempt to trick a target into\r\nallowing access to the account.\r\nThe threat actor has been observed connecting to multiple users from the same Windows device.\r\nThe threat actor registers domain names in common formats in order to socially engineer targets into entering their\r\ncredentials into their phishing sites.\r\nhttps://sec.okta.com/scatterswine\r\nPage 3 of 6\n\n{targeted organization}-corp.net\r\n{targeted organization}-help.com\r\n{targeted organization}-help.net\r\n{targeted organization}-helpdesk.com\r\n{targeted organization}-login.co\r\n{targeted organization}-mfa.com\r\n{targeted organization}-okta.co\r\n{targeted organization}-okta.com\r\n{targeted organization}-okta.net\r\n{targeted organization}-okta.org\r\n{targeted organization}-okta.us\r\n{targeted organization}-onelogin.com\r\n{targeted organization}-sso.com\r\n{targeted organization}-sso.net\r\n{targeted organization}-vpn.com\r\n{targeted organization}-vpn.net\r\n{targeted organization}-vpn.org\r\nokta-{targeted organization}.com\r\nStepping up your defenses\r\nBased on our analysis of this intrusion, we recommend that customers embrace a “defense in depth” approach to\r\nprotecting user accounts from phishing attacks.\r\nUse strong authenticators with the most phishing-resistant properties, such as FIDO2 WebAuthn platform\r\nand roaming authenticators and smart cards. Consider FastPass, Okta’s passwordless solution as a longer-term strategy to minimize exposure to credential-based attacks.\r\nTrain users to identify indicators of suspicious emails, phishing sites and common social engineering\r\ntechniques used by attackers. Okta customers can make it easy for users to report potential issues by\r\nconfiguring End User Notifications and Suspicious Activity Reporting.\r\nhttps://sec.okta.com/scatterswine\r\nPage 4 of 6\n\nAuthentication policies can be used to restrict user access to applications based on a range of customer-configurable prerequisites.\r\nUse Behavior Detection to act (via step-up authentication) or alert (via System Log) when a user’s sign in\r\nbehavior deviates from a previous pattern of activity. This threat actor is almost always attempting to\r\nauthenticate from a new device and new IP that has no previous association with the user.\r\nUse Network Zones to deny or perform step-up authentication on requests from rarely-used networks and\r\nanonymizing proxies.\r\nRestrict access to applications to only those devices that are registered (with Okta FastPass) or devices\r\nmanaged by endpoint management tools, and\r\nRestrict access to the most sensitive applications and data using application-specific authentication\r\npolicies. Require re-authentication \"every time\" a user signs into these resources.\r\nProtect administrative sessions: Take a \"Zero Standing Privileges\" approach to administrative access.\r\nAssign administrators Custom Admin Roles with the least permissions required for daily tasks, and require\r\ndual authorization for JIT (just-in-time) access to more privileged roles. Apply ASN and IP Session\r\nBinding (from Settings \u003e Features) to all administrative apps to prevent the replay of stolen administrative\r\nsessions. Enable Protected Actions (under Settings \u003e Features) to force re-authentication whenever an\r\nadministrative user attempts to perform sensitive actions.\r\nTalk to your SaaS partners about support for Demonstrating Proof-of-Possession, Continuous Access\r\nEvaluation Profile (CAEP) and Universal Logout.\r\nSearching Okta System Log for Scatter Swine TTPs\r\nThe following Okta System Log query searches for SMS events (authentication challenges, password resets or\r\nfactor enrolment events) from new devices and network locations for a given user, filtered according to known\r\nTTPs discovered through the analysis of this campaign.\r\nIf customers are seeking to check which of these messages transited Twilio, add the following to the query:\r\nand debugContext.debugData.smsProvider eq \"TWILIO\"\r\nCustomers using the Okta Add-On for Splunk can run a similar search using the following query:\r\nFurther Threat Hunting\r\nUsing the above TTPs, below is an example query for how you might hunt for potential account takeover\r\nattempts.\r\nThis is a starting point and should be adjusted for your environment. A filter for securityContext.isProxy eq \"true\"\r\ncould reduce the scope of events to review.\r\nhttps://sec.okta.com/scatterswine\r\nPage 5 of 6\n\nEqually, consider that the threat actor is known to use VPS providers that accept Bitcoin as payment. Virtual\r\nPrivate Servers are not classified as proxies.\r\nIn the example below, we assume that:\r\nThe threat actor was NOT using FIDO2/WebAuthn factors.\r\nThe threat actor was using a Computer with a Windows Operating System.\r\nThe threat actor made the request using a New Device and New IP for the target user.\r\nThe threat actor often uses proxies or other anonymization services.\r\nFor further advice on searching Okta System Log for suspicious events, see this support article.\r\nChange log:\r\n1.2 - 03/08/2024\r\nUpdated recommendations to include reauthentication frequency.\r\nUpdated recommendations to include new features released as part of Okta Secure Identity Commitment:\r\nProtected Actions, ASN/IP Session Binding.\r\n1.1 - 08/30/2022\r\nDetection Logic edited in System Log events to reflect that attributes in logOnlySecurityData are captured\r\nin a json format {\"Key\":\"Value\"}. Detections that evaluate behaviours\r\n(debugContext.debugData.behaviors) take the form of Key=Value and remain unchanged.\r\n1.0 - 08/25/2022\r\nOriginal version published.\r\nSource: https://sec.okta.com/scatterswine\r\nhttps://sec.okta.com/scatterswine\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://sec.okta.com/scatterswine" ], "report_names": [ "scatterswine" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434474, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04c0b84c975f8b02c37c946299b542336b2ebb68.pdf", "text": "https://archive.orkl.eu/04c0b84c975f8b02c37c946299b542336b2ebb68.txt", "img": "https://archive.orkl.eu/04c0b84c975f8b02c37c946299b542336b2ebb68.jpg" } }