Twilio August 2022: When the Supply Chain Is Your Helpdesk's Phone
Threat Intelligence
0ktapus did not exploit a zero-day at Twilio. They sent SMS messages to employees, harvested credentials through a clone of the SSO portal, and from there reached Signal users and the Authy MFA app. A look at employee phishing as a supply-chain vector.
By Arjun Raghavan, Security & Systems Lead, BIPI · April 6, 2024 · 8 min read
Twilio is critical infrastructure for thousands of products that send OTPs, alert customers, or run two-factor through Authy. So when the company disclosed an August 4, 2022 breach driven by SMS phishing, the secondary blast radius mattered as much as the primary. The actor cluster Group-IB called 0ktapus, later folded into the Scattered Spider story, was running a textbook identity supply-chain operation.
Timeline
- August 4, 2022: Twilio employees receive SMS messages claiming password expiry or schedule changes, directing them to a domain pattern like twilio-okta.com or twilio-sso.com.
- Same day: a subset of employees enter credentials and an MFA code into the cloned portal. The attacker relays both to the real Okta tenant in real time.
- August 4 through 9: with valid sessions, the attacker accesses internal Twilio tooling. 209 customer accounts are touched.
- August 7: Twilio detects unauthorized access through customer reports and internal alerting on Okta session anomalies.
- August 15: Twilio's public disclosure. Signal follows with their own notice: 1,900 users had their phone numbers and SMS verification codes exposed because Twilio handles those flows.
- August 25: a second incident at Twilio is disclosed. Same actor cluster, separate intrusion. Authy is confirmed reached; 93 accounts had additional devices registered.
Root cause
There was no software vulnerability. The chain was an identity provider that accepted credentials and TOTP codes from any IP, paired with humans who answered an SMS. The attacker registered domains that looked legitimate, generated valid TLS certificates through free CAs, and built a real-time relay so the MFA code had a useful lifetime.
TOTP and SMS codes are bearer secrets. The phishing kit just had to move faster than the user.
Attacker actions
Once inside Twilio's internal apps, the actor pivoted to customer-facing tooling that could look up phone number routing and re-trigger SMS verifications. For Signal, that was enough to capture verification codes for targeted accounts. For Authy, the attacker registered additional devices on selected accounts, effectively cloning the second factor. Throughout, the actor used commercial proxy infrastructure and rotated IPs to dodge basic geo-velocity rules.
Detection signals
- DNS queries from corporate networks to lookalike domains: twilio-okta.com, twilio-sso.com, okta-twilio.net. Newly registered domains containing your brand are a permanent monitoring target.
- Okta sign-ins with valid credentials and MFA but with user agent or ASN patterns inconsistent with the employee's recent baseline.
- Short session lifetimes followed by immediate access to admin tooling: classic relay-and-pivot pattern.
- Authy accounts gaining new devices outside the user's typical pattern. This is the canary for the second wave.
Lessons
- Move to phishing-resistant MFA for every account that can touch customer data or production systems. Start with admins and helpdesk.
- Lookalike domain monitoring is a $50-a-month problem with a multi-million-dollar payoff.
- Train the helpdesk and engineering staff on the exact playbook: SMS that claims password expiry or schedule change is the dominant lure.
- If you are downstream of an identity vendor, ask what their MFA policy looks like for their own staff. The 2022 0ktapus campaign hit dozens of companies and the survivors had FIDO2 enforced.
The Twilio incident reframed supply chain. The pipeline did not need a tampered package. The pipeline was the helpdesk's phone, and the patch was a hardware key on every employee's lanyard.
Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.