Friday 17th July 2020

BLOG: Beyond the scam: geopolitical implications of the Twitter hack

The breach of Twitter on 15 July was an attempted scam with an ultimately unsophisticated motive – de-frauding users of their Bitcoins. However, the breach also served to demonstrate how vulnerable the platform is relative to its global significance. In the context of the upcoming US presidential election elections, concerns have been raised around the platform’s ability to protect accounts of geopolitical and economic importance.

The breach

On the evening of 15 July, multiple Twitter accounts belonging to prominent political figures, technology companies and cryptocurrency exchanges were hijacked to tweet out Bitcoin addresses. Victims include Barack Obama, Joe Biden, Elon Musk, Warren Buffet, Bill Gates, Jeff Bezos, Apple, Uber, Binance, Coinbase and others. According to the platform, up to 130 accounts were targeted, with only a handful of these successfully breached.[1] These accounts tweeted out nearly identical tweets promising to double cryptocurrency payments sent to a Bitcoin address, with only slight variation on content (see images below).

*Figure 1: Screenshots taken by BBC News. [2]*

The attack vectors

Several theories have emerged concerning the nature of the attack vector, from SIM-swapping to a manipulated insider. While both vectors have precedent, the current evidence suggests an insider threat is more likely. While Twitter CEO Jack Dorsey had been the victim of a SIM swap attack in August 2019, the Washington Post also reported in November 2019 that two former Twitter employees were charged by the US Justice Department with spying on Saudi Arabian political dissidents.[3] [4] There also has been a precedent for rogue employee behaviour when an employee deleted Donald Trump’s account on their last day with Twitter in November 2017.[5]

In response to the compromised accounts, Twitter’s security team prevented verified accounts from tweeting for several hours, calling the breach a “coordinated social engineering attack” targeting “employees with access to internal systems and tools”. This was corroborated with screenshots obtained by Motherboard that showed an internal control panel allowing Twitter employees to view an account’s status and inclusion in blacklists. It is still unclear whether the employee in question was coerced, acted for financial gain, or had their credentials compromised in a social engineering attack.

We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.
— Twitter Support (@TwitterSupport) July 15, 2020

*Figure 2: A screenshot of the alleged Twitter administrator control panel[6]*

Having obtained access to this administrator account, the attackers were able to use the control panel to change settings to accounts remotely, such as disabling two-factor authentication (2FA), initiating a password reset, and changing the account email.[7] This would have allowed attackers to effectively take full control of the account while remaining undetected by the platform. It also still unclear whether the attackers gained access to the accounts’ direct messages, which may pose a significant risk to the breached political figures mentioned previously.

Intent and attribution

Cybersecurity firms have been cautious in attributing the breach due to a relative lack of evidence and the recency of the breach. Moreover, the fact that prominent political figures were targeted has led to some commentators raising the possibility that the scam was merely a cover for intelligence collection.

With that caveat in mind, the breach follows a well-known formula for Bitcoin scams, where cybercriminals attempt to lure users with the promise of a doubled Bitcoin payment- these are known in the cryptocurrency community as a “Bitcoin doubler” scam, itself a variation on the tried and trusted advance fee fraud model. In under two hours, the attackers were able to amass approximately 12.86 BTC over 432 transactions, roughly equivalent to GBP93,349- indicating an average transaction of over GBP200.

During the breach, the attackers regularly exfiltrated the funds from the wallet to other sub-wallets shortly after receiving the 100^th and 200^th payments, demonstrating a relative degree of planning. These tactics first seem to correspond to low-level cybercriminals looking to make a rapid profit.

*Figure 3: Account balance of the attackers’ wallet. Data from walletexplorer.com*

A post by KrebsOnSecurity found that a user named “chaewon” posted on a popular SIM swapping and account hijacking forum several days before the breach offering users the capability to replace the associated email address to “any” Twitter account for USD250, in addition to full account access for up to USD3,000. The account has since been banned from the forum by request on the user, after changing its username and profile picture. The account seems to have an organic post history dating back to 2017 and was engaged in selling and buying accounts over multiple platforms, including Twitter, Instagram, Facebook and others.

Figure 4: chaewon’s profile on the forum as captured by KrebsOnSecurity

Figure 5: The now-banned user profile on the forum[8]

Figure 6: The username change history for the profile revealing that the profile was originally titled “Mars”**[9]**

Potential geopolitical implications

Among the accounts targeted for their following of cryptocurrency enthusiasts, such as Elon Musk, Bill Gates, and Warren Buffett, the targeting of Barack Obama and Joe Biden has also highlighted the potential political or geopolitical risk that could stem from a threat actor manipulating Twitter accounts.

There is precedence for nation-state activity on the platform. This was most notably during the case during the 2016 US election, but it was reported by the UK government that Russia had interfered on social media during the 2017 Brexit referendum and 2019 general election, notably with the leaking and promotion of secret trade documents between the US and UK involving the NHS.[10] As already noted, there is also an existing example of malicious insiders found to be working for the Saudi Arabian government.[11] There is also a prior case of alleged nation-state activity aiming to manipulate stock markets, as demonstrated by the April 2013 hack of the official Associated Press Twitter account, from which attackers tweeted that the two explosions had hit the White House.[12]

Following “the worst hack on a major social media platform yet” according to Crowdstrike co-founder Dmitri Alperovitch, many political commentators have connected this hack to the upcoming 2020 US elections, with worries surfacing that these types of capabilities may be leveraged by more sophisticated nation-state actors to influence the course of the election.[13] Research by King’s College London’s Center for Science & Security Studies examines the specific geopolitical implications of “Twitter diplomacy”, whereby strategic decisions and conflict escalation is increasingly conducted on the platform.[14] A recent example of this seen in November 2019 with tensions between Iran and the United States, with Donald Trump announcing sanctions on Iran by referencing the popular “Game of Thrones” television show in a tweet.

*Figure 7: Picture tweeted out by US President Donald Trump suggesting new sanctions on Iran[15]*

Breaching social media platforms like Twitter will be of increased strategic relevance for nation-states both for political intelligence and conflict management. With Twitter’s administrative capabilities and associated vulnerabilities on display during the recent breach, we estimate that threat actors will be encouraged to continue breaching high-value social media accounts for strategic and tactical effect in the future.

Recommended mitigation

Looking beyond the potential geopolitical ramifications of the breach, the capability demonstrated by low-profile cybercriminals in this breach highlights that companies should take supplementary measures to secure their social media accounts. We recommend implementing the following measures to limit risk associated to social media takeovers:

Enabling Multi-Factor Authentication (MFA) to avoid a single point of failure- this can be done by using hardware tokens or a dedicated authentication app
Revisiting employee access policy for corporate social media accounts
Train employees on common social engineering attack vectors such as phishing and smishing
Conduct regular security audits and penetration testing of these accounts to ensure their security

[1] https://twitter.com/TwitterSupport/status/1283957910708662273?s=20

[2] https://www.bbc.co.uk/news/technology-53425822

[3] https://www.nytimes.com/2019/09/05/technology/sim-swap-jack-dorsey-hack.html

[4] https://www.washingtonpost.com/national-security/former-twitter-employees-charged-with-spying-for-saudi-arabia-by-digging-into-the-accounts-of-kingdom-critics/2019/11/06/2e9593da-00a0-11ea-8bab-0fc209e065a8_story.html

[5] https://www.vice.com/en_us/article/pa3ze8/twitter-deactivated-donald-trump

[6] https://www.vice.com/en_uk/article/jgxd3d/twitter-insider-access-panel-account-hacks-biden-uber-bezos

[7] https://medium.com/@lucky225/the-twitter-hack-what-exactly-happened-d8740d33c1c

[8] https://ogusers.com/hahsbdbsbd

[9] https://ogusers.com/misc.php?action=username_history&uhuid=540

[10] https://www.theguardian.com/uk-news/2020/jul/16/uk-says-russia-sought-to-interfere-in-2019-election-by-leaking-documents-online

[11] https://www.wired.com/story/twitter-hack-could-have-been-much-worse/

[12] https://www.theguardian.com/business/2013/apr/23/ap-tweet-hack-wall-street-freefall