It was the summer cyberattack that had social media buzzing.
A group of teenagers used social engineering to breach Twitter's network and take over the accounts of a whole bunch of A-listers.
People like Barack Obama, Bill Gates, Kim Kardashian West, Jeff Bezos, and Elon Musk were suddenly tweeting about a can't miss double your Bitcoin opportunity that was really a scam.
The teens also took over Twitter accounts of several cryptocurrency companies regulated by the New York State Department of Financial Services (NYDFS), which helped trigger an investigation by the department.
The investigation reveals exactly how the teens carried out the attack, and also reached three significant conclusions, which can be summarized like this:
- Twitter is to blame for the cyberattack's success because of inadequate cybersecurity going all the way to the top.
- New York should increase cybersecurity regulations as a result, especially for social media companies.
- This "garden variety cyberattack" points to much greater damage which may happen in the future, unless things change now.
New York investigation blames Twitter for lax cybersecurity in attack
In its new report, the NYDFS says the cyberattack and resulting Bitcoin scam netted the teen hackers at least $118,000.
However, investigators says the biggest problem they uncovered was poor cybersecurity at Twitter.
From the report:
"The Twitter Hack is a cautionary tale about the extraordinary damage that can be caused even by unsophisticated cybercriminals. The Hackers' success was due in large part to weaknesses in Twitter's internal cybersecurity protocols."
And they traced the cybersecurity failures to a lack of leadership and a vacant Chief Information Security Officer role:
"The problems started at the top: Twitter had not had a chief information security officer ('CISO') since December 2019, seven months before the Twitter Hack. A lack of strong leadership and senior-level engagement is a common source of cybersecurity weaknesses.
Strong leadership is especially needed in 2020, when the COVID-19 pandemic has created a host of new challenges for IT and cybersecurity. Like many organizations, in March Twitter transitioned to remote working due to the pandemic. This transition made Twitter more vulnerable to a cyberattack and compounded existing weaknesses."
We've been hearing for months about the expanded attack surface in a work from home environment, and now Twitter has become Exhibit A in that regard.
How did the Twitter account takeover attack work?
I still remember reading hacker Kevin Mitnick's book "Ghost in the Wires" a few years ago. As a teenager, he discovered that social engineering was a trick that worked.
"I would call the company I'd targeted, ask for their computer room, make sure I was talking to a system administrator, and tell him, 'This is [whatever fictitious name popped into my head at that moment], from DEC support. We've discovered a catastrophic bug in your version of RSTS/E. You could lose your data.'
This is a very powerful social-engineering technique, because the fear of losing data is so great that most people won't hesitate to cooperate.
With the person sufficiently scared, I'd say, 'We can patch your system without interfering with your operations.' By that point the guy (or sometimes, lady) could hardly wait to give me the dial-up phone number and access to the system-manager account."
And it seems that the teen hackers in the Twitter account takeover attack ran a similar social engineering routine, updated to match 2020 technology and the technical challenges created by work from home.
From the report:
"The Twitter Hack started on the afternoon of July 14, 2020, when one or more Hackers called several Twitter employees and claimed to be calling from the Help Desk in Twitter's IT department. The Hackers claimed they were responding to a reported problem the employee was having with Twitter's Virtual Private Network ('VPN')."
Investigators found that VPN trouble was common at Twitter after the sudden shift to remote work. This is something end-users at many organizations experienced.
And at Twitter, it gave the teen hackers the cover they needed to make their social engineering scam seem believable.
"The Hackers then tried to direct the employee to a phishing website that looked identical to the legitimate Twitter VPN website and was hosted by a similarly named domain.
As the employee entered their credentials into the phishing website, the Hackers would simultaneously enter the information into the real Twitter website. This false log-in generated an MFA notification requesting that the employees authenticate themselves, which some of the employees did."
And the hackers added a key element to their social engineering scam, which helped them achieve success:
"...the Hackers used personal information about the employees to convince them that the Hackers were legitimate and could, therefore, be trusted."
Ah, yes. We're from the Help Desk and are here to help.
This allowed the hackers to gain access to an internal dashboard, where they searched for OG or "original gangster" accounts. These are coveted, longstanding accounts, often early Twitter adopters, with large followings.
"Between approximately 3 a.m. and 10 a.m. on July 15, 2020, the Hackers allegedly discussed through online chat messages the takeover and sale of OG Twitter usernames in exchange for bitcoin, which Twitter confirmed resulted in the compromise of multiple accounts."
But investigators say the teen hackers then took over many more accounts to launch the Bitcoin scam.
"The Hackers further escalated the Twitter Hack and changed the fraud scheme by tweeting payment requests directly from overtaken cryptocurrency companies' accounts. At approximately 3:18 p.m., the Hackers seized the account of Binance, a cryptocurrency exchange and sent the following tweet, which included a link which linked to a bitcoin scam address.
Between approximately 3:26 p.m. and 4:12 p.m., the Hackers hijacked ten cryptocurrency-related accounts (including Department-regulated entities Coinbase, Gemini Trust Company, and Square, Inc.).
The Hackers then raised the stakes significantly and targeted verified Twitter accounts with millions of followers. Between 4:17 p.m. and 6:05 p.m., the Hackers sent tweets from compromised accounts belonging to high-profile figures and companies..." such as former Vice President Joe Biden, Uber, Warren Buffet, Apple, and many others.
"The Hackers also used some of the compromised accounts to resend the same bitcoin scam tweets multiple times. Given the number of followers for each high-profile user account, the fraudulent tweets reached millions of potential victims across the globe."
The Twitter cyberattack could have caused greater damage
The New York report explains that the consequences of this cyberattack against a social media company could have been far worse:
"The implications of the Twitter Hack extend far beyond this garden-variety fraud. There are well-documented examples of social media being used to manipulate markets and interfere with elections, often with the simple use of a single compromised account or a group of fake accounts. In the hands of a dangerous adversary, the same access obtained by the Hackers—the ability to take control of any Twitter users' account—could cause even greater harm.
The Twitter Hack demonstrates the need for strong cybersecurity to curb the potential weaponization of major social media companies."
How do you prevent weaponizing social media? The New York State Department of Financial Services says you need to highly regulate the cybersecurity of these companies.
NY: social media cybersecurity needs new regulations and regulators
At SecureWorld conferences over the last couple of years, we've heard a lot of talk about New York's cybersecurity regulations focused on the financial services industry.
New York's SHIELD Act more broadly increased data breach notification standards and requires "reasonable cybersecurity."
However, the NYDFS says social media companies need a two-pronged increase in regulation to drive significant improvements in information security. The first prong focuses on new regulations:
"Given the criticality of Twitter and other major social media companies, more oversight should be required. A cybersecurity regulation for large social media companies should be both more detailed and require more security in high-risk areas.
In light of the issues exposed by the Twitter Hack, regulatory guidance is necessary to ensure large social media companies have proper controls in place to appropriately mitigate ever-evolving risks."
And the second prong focuses on a new regulator, possibly from a newly created regulatory body:
"Social media companies currently have no dedicated regulator. They are subject to the same general oversight applicable to other companies... But there are no regulators that have the authority to uniformly regulate social media platforms that operate over the internet, and to address the cybersecurity concerns identified in this Report. That regulatory vacuum must be filled."
Twitter attack conclusion: social media is now critical infrastructure
Should Twitter, Facebook, and other social media giants be treated like critical infrastructure? And if so, should they have their cybersecurity programs regulated as though we all depend on their success?
The final paragraphs of the New York report certainly make that case:
"The David to this Goliath was a group of unsophisticated cyber crooks who exploited social media to create widespread disruption for hundreds of millions of users.
The election weeks away puts a spotlight on the need to improve cybersecurity to prevent misuse of social media platforms.
Social media companies have evolved into an indispensable means of communications: more than half of Americans use social media to get news, and connect with colleagues, family, and friends. This evolution calls for a regulatory regime that reflects social media as critical infrastructure."
We'll see if any of this comes to pass. But if it does, it will be fascinating to think that a group of teenage hackers created such a shift in the regulatory landscape.