Fresh from suffering an “embarrassing” hack that saw accounts of high-profile users being hijacked, social media platform Twitter is attempting to regain user trust and working with law enforcement to bring the hackers to book.
On Saturday, Twitter issued an update after last week’s much-publicised social engineering attack targeting top users such as US presidential candidate Joe Biden, Tesla CEO Elon Musk, former US president Barack Obama, and reality TV star Kim Kardashian.
The attackers also hijacked the accounts of Microsoft founder Bill Gates, Uber and Apple, among others, with the hackers demanding to be paid in crypto-currency.
In the security update, Twitter says it believes the attackers targeted certain employees through a social engineering scheme.
In this context, it explains that social engineering is the intentional manipulation of people into performing certain actions and divulging confidential information.
According to Twitter, the attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through the platform’s two-factor protections.
“As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts,” it says.
“For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send tweets. We are continuing our forensic review of all of the accounts to confirm all actions that may have been taken. In addition, we believe they may have attempted to sell some of the usernames.”
Regaining control
For up to eight of the Twitter accounts involved, the company says the attackers took the additional step of downloading the accounts’ information through the “Your Twitter Data” tool.
This is a tool that is meant to provide an account owner with a summary of their Twitter account details and activity.
“We are reaching out directly to any account owner where we know this to be true. None of the eight were verified accounts,” says Twitter.
Twitter became aware of the attackers’ action on Wednesday, and moved to lock down and regain control of the compromised accounts.
“Our incident response team secured and revoked access to internal systems to prevent the attackers from further accessing our systems or the individual accounts.”
However, the company says it is deliberately limiting the detail it shares on remediation steps at this time to protect their effectiveness and will provide more technical details, where possible, in the future.
“In addition to our efforts behind the scenes, shortly after we became aware of the ongoing situation, we took pre-emptive measures to restrict functionality for many accounts on Twitter – this included things like preventing them from tweeting or changing passwords.
“We did this to prevent the attackers from further spreading their scam as well as to prevent them from being able to take control of any additional accounts while we were investigating. We also locked accounts where a password had been recently changed out of an abundance of caution. Late on Wednesday, we were able to return tweeting functionality to many accounts, and as of today, have restored most of the accounts that were locked pending password changes for their owners.”
Through all of this, Twitter says it also begins the long work of rebuilding trust with the people who use and depend on Twitter.
“We’re acutely aware of our responsibilities to the people who use our service and to society more generally. We’re embarrassed, we’re disappointed, and more than anything, we’re sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice.
“We hope that our openness and transparency throughout this process, and the steps and work we will take to safeguard against other attacks in the future, will be the start of making this right.
“We are continuing our investigation of this incident, working with law enforcement, and determining longer-term actions we should take to improve the security of our systems. We have multiple teams working around the clock focused on this and on keeping the people who use Twitter safe and informed.”
Criminal community
Meanwhile, Allison Nixon, chief research officer, Unit 221B, a cyber security firm specialising in financially motivated cyber attacks, believes the individuals behind the Twitter breach likely come out of the platform’s OG Community, a group that Unit 221B activity tracks for its own customers.
She explains that the OG community began as a group of hackers interested in OriGinal Twitter handles with single digits or low numbers which have perceived prestige and value, but includes groups interested in all manner of cyber crime and cyber fraud.
“Based upon what we have seen, the motivation for the most recent Twitter attack is similar to previous incidents we have observed in the OG community – a combination of financial incentive, technical bragging rights, challenge and disruption,” Nixon says.
“The OG community is not known to be tied to any nation state. Rather they are a disorganised crime community with a basic skillset and are a loosely organised group of serial fraudsters.
Nixon notes that Unit 221B saw what was happening with the Twitter attack in its early stages. “We recognised that the Twitter attack matched similar attacks we had seen in the OG Community, and that it followed the same motivations, tactics and techniques that mirror the OG Community, a group that Unit 221B actively profiles and monitors.
“In tracking this community, we have observed that they are highly practised at both insider recruitment and social engineering – the ability to obtain inside access to sophisticated tools and high-level access to password resets and account takeovers, either by tricking lower-level support staff or by corrupting them.”
According to Nixon, this criminal community is known for crypto theft and SIM swapping, and insider recruitment is one of the key techniques they use to accomplish this goal.
In the SIM swap community, she says, the OG hackers have been able to take over targets’ cellphone numbers (often repeatedly) by corrupting help-desk or similar lower paid employees, and using the access provided to redirect phone traffic to their phones.
This has enabled tens of millions of dollars of losses to Bitcoin vendors, says Nixon, adding that similar techniques used by the OG community may have permitted them to obtain access to protected Twitter accounts.
Share