On 15 July, Twitter was hacked in an epic way. One-by-one, a number of accounts were targeted and compromised, including verified accounts of famous users including Elon Musk, Bill Gates, Barack Obama, Kanye West and Joe Biden, and a number of Twitter accounts for major cryptocurrency exchanges also started posting messages like this:
All of the compromised Twitter accounts were pushing the same bitcoin scam. At the peak, the hackers were pushing out several scam messages from different Twitter accounts every second. This was verifiable by watching the tweets accumulate on Twitter through a search of the bitcoin address being used.
Twitter has subsequently stated that only 130 accounts were targeted – and of those only 45 were successfully breached. The first accurate speculation on the cause of the hack came from @RachelTobac:
Twitter was initially taken off-guard by the attack that effectively leveraged the tool it typically uses to help safeguard individual accounts. As quickly as rogue tweets were eliminated, they could still be replaced by the hackers in the same account. As an example, the tweet from the Barack Obama account was removed but then reposted a short time later.
With all credit to the Twitter security team, it took just a short time to work out how to block the attack.
First the single bitcoin address being used was blocked from appearing in the body of any Twitter message.
Acknowledging the extent of the issue, Twitter then restricted and closed many accounts (especially verified accounts) from tweeting.
Many infosec professionals highlighted the fact that although the hacker (or hackers) showed quite a proficient level of skill, the person or people involved also looked relatively new to the game. Most significantly, they had burned a highly valuable exploit (one which Twitter would undoubtedly have paid a substantial bug bounty for) to try and obtain a small amount of very visible (and reasonably traceable) bitcoin.
How many people fell for the scam? Exactly 374 when I first drafted this article – 394 a few days later, yielding a total haul of less than 13 bitcoins, a pittance compared to the nearly 4% immediate short-term drop in the Twitter share value.
How Did the Hackers Do It?
What is known is that hackers orchestrated a series of social engineering attacks against Twitter staff that had access to the internal administrative tools that Twitter can use to recover and reset accounts.
This is, however, a somewhat simplistic view of the overall attack.
Anyone who has read Cybersecurity for Beginners will know that I assert all major breaches or hacks are not down to the failure of a single security control but require a minimum of three critical or major controls to be compromised. (Cybersecurity for Beginners: Chapter 12 – Stacked Risks)
Cybersecurity conspiracy theories abound – but based on my own security management and security auditing experience, I think the most likely series of events and security control failures will turn out to be as follows:
- Due to the coronavirus, some Twitter employees were allowed to run internal administrative functions remotely (working from home).
- It may also have been the case that some or all of these employees were permitted to run these functions on their own devices (BYOD).
- Social engineering scams work best when they can leverage a real event – in this case, most likely the brief global outage of the Microsoft Outlook desktop. In my book How to Hack a Human, I referred to this technique as storm-chasing:
- The social engineering call could have pretended to be an internal Twitter support service using non-standard authentication due to the email outage.
- By instructing a number of staff to perform certain actions, those staff may have granted remote access to their devices – which could be used to either scrape administrative access credentials or simply pivot admin tool access from those devices. (Undoubtedly, Twitter will have had MFA multi-factor authentication to their admin console, so just obtaining a password is unthinkable.)
- At this point, we get to the most critical of all of the security failures, that inadequate PAM (privileged account management) meant that the rogue access to the internal Twitter tool used to reset and administer Twitter accounts could be operated with impunity for what (in security terms) was quite a while – around an hour or more.
Did this attack also use automation or a script? This is possible given the rate at which the scam messages were being posted, but it most likely used a small community of hackers given that many of the messages seemed to include side notes from the people sending them (such as “#Enjoy”)
(Update: Since first writing this article, it was first alleged that a rogue insider was paid and complicit with the hack. This subsequently looks to be a false flag sent out by one of the hackers involved. It also appears as though the hackers may be UK-based and have been preparing the attack for some time.)
Ultimately, the fallout from this hack could have been much worse – as one user pointed out at the time:
Editor’s note: Events like these underscore the critical need for strong cyber maturity. Learn more about ISACA’s CMMI Cybermaturity Platform here.