Multiple parallel investigations into the 15 July hack of Twitter’s systems by cryptocurrency fraudsters have been opened by the Federal Bureau of Investigation’s (FBI’s) San Francisco office and the state of New York, and cyber security researchers are also on the trail of the perpetrators.
As previously reported, the hack is suspected of being an insider breach via a compromised Twitter employee with access to internal tools. It saw multiple prominent accounts hijacked to tweet out a cryptocurrency scam that appears to have netted the people behind it at least $100,000.
Many currently think it highly likely that the hacker or hackers behind the attack were seeking to do nothing more than scam victims out of their cash, a theory that appears to be corroborated by evidence published by security investigator Brian Krebs, which suggests it was perpetrated by a 21-year old British student currently in Spain, who is known as a so-called SIM swapper. SIM swapping is a type of identity theft which involves convincing an employee at a mobile operator to switch the target’s phone number to a new device, giving criminals access to sensitive data.
However, even if this is true, a far greater source of concern lies in the fact that with access to multiple accounts via a compromised internal system, the perpetrators could have gained access to every single user of Twitter’s platform to wreak even more havoc than they appear to have managed.
It is also a distinct possibility, though still unproven, that the perpetrators could have established persistence within Twitter’s systems, opening the door to further, more damaging cyber attacks, a point made by F-Secure’s Mikko Hypponen, who said that as things currently appear, Twitter seems to have got off lightly.
“The attack could have done far worse things than try to scam bitcoins out of people; the attackers had access to everything. They could have done anything on Twitter. They could have started tweeting weird things in the names of the US presidential candidates during the voting this November, for example,” he said.
Tarek Saleh, DomainTools
Tarek Saleh, senior security engineer at DomainTools, said it was sensible for investigators to assume the worst-case scenario.
“We can, and should, expect this attack group to take full advantage of their admin-level access to Twitter’s platform and assume that these impacted accounts also had their private direct messages stolen,” said Saleh.
“Private message data can potentially have a huge impact on extorting those individuals or contain other highly personal or sensitive secrets. I think we’re going to see a large ripple effect from this breach for a while to come.”
Immuniweb founder Ilia Kolochenko added: “This incident highlights the extreme fragility of the modern information space. In a similar disinformation campaign, nation-state actors may simply announce a military or nuclear incident and provoke national havoc or spread fake news about a rival business to ruin its stock price and then purchase it for pennies.”
In a statement, New York state governor Andrew Cuomo said: “The Twitter hack and widespread takeover of verified Twitter accounts is deeply troubling and raises concerns about the cyber security of our communications systems, which are critical as we approach the upcoming presidential election.
“With more than 300 million users, Twitter is a primary source of news for many, making it a target for bad actors. This type of hack by con artists for financial gain can also be a tool of foreign actors and others to spread disinformation and – as we’ve witnessed – disrupt our elections.
“I am directing a full investigation into this massive hack through the New York Department of Financial Services and any other relevant state agency to bring the facts to light. Foreign interference remains a grave threat to our democracy and New York will continue to lead the fight to protect our democracy and the integrity of our elections in any way we can.”
130 accounts hit
With its own probe ongoing, a Twitter spokesperson said: “Based on what we know right now, we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident. For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts.
“We’re working with impacted account owners and will continue to do so over the next several days. We are continuing to assess whether non-public data related to these accounts was compromised, and will provide updates if we determine that occurred.
National Cyber Security Centre
“We have also been taking aggressive steps to secure our systems while our investigations are ongoing. We’re still in the process of assessing longer-term steps that we may take and will share more details as soon as we can.”
The UK’s National Cyber Security Centre (NCSC) said: “We are aware of a cyber attack on Twitter and have reached out to the company.
“While this appears to be an attack on the company rather than individual users, we would urge people to treat requests for money or sensitive information on social media with extreme caution.
“The NCSC has recently produced guidance for organisations on protecting what they publish on social media, and more widely we would remind people of our advice on staying secure through measures such as strong passwords and turning on two-factor authentication (2FA).”
Tom Lysemose Hansen, CTO at Promon, said: “While we would like to hope that this is the end of this particular attack, there are also yet-to-be-discovered implications with regards to end-user security. It is currently unknown as to whether any personal data has been breached. As a result, there is now an onus on all Twitter users to ensure that they are using strong and unique passwords, and have multifactor authentication enabled to mitigate any potential risk of future attacks.”