A breach of social media platform Twitter thought to be facilitated by a company employee has drawn attention to the risks posed by so-called “turncloaks” or malicious insiders. On July 15, hundreds of accounts were compromised when a hacker breached Twitter’s internal systems and began tweeting requests for Bitcoin transfers. Though the financial damage was relatively minimal for such a large-scale attack, the breach has highlighted companies’ need to assiduously monitor employee behavior and access privileges.
The hackers posted fraudulent messages from a host of verified accounts, including those belonging to Bill Gates, Elon Musk, Mike Bloomberg, Jeff Bezos, Barack Obama, Joe Biden and Kanye West. They also succeeded in gaining access to the company accounts for Uber and Apple and cryptocurrency platforms Coinbase and Gemini. The tweets posted by the cybercriminals solicited transfers of Bitcoin under the pretense of doubling investors’ money. The message posted from Bill Gates’ account read, “Everyone is asking me to give back and now is the time. You send me $1,000, I send you back $2,000.”
Despite the relatively unsophisticated nature of the scam, the hackers still managed to convince victims to transfer over $115,000 worth of Bitcoin. Considering the reach of many of the platform’s verified users (Obama has over 121 million followers), it is likely they forecast a much higher payout. Currency exchange platform Coinbase prevented around 1,000 customers from transferring a further $280,000 by blacklisting the hacker’s digital wallet. Praising the company for its rapid response, KCL cybersecurity researcher Dr Alexei Drew warned that progressive regulation of cryptocurrency exchanges was vital in the fight against cyberattacks. “While Coinbase might have these proactive policies in place […] there are other exchanges and cryptocurrencies that are far more lax and better suited to nefarious use.”
Twitter claims the breach was due to “a coordinated social engineering attack” in which attackers “successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems.” However, a report by Vice publication Motherboard asserts that a company employee was in fact responsible for the account takeovers with leaked screenshots showing an internal tool being used to change the email addresses associated with certain accounts. Whether the insider carried out the attack themselves or gave the hackers access to this tool remains unknown.
The breach was significant due to the large number of compromised accounts and the amount of time it took Twitter to regain control of its systems. While the first tweets appeared around 3:00 P.M. EDT, the company could not initially prevent the hackers from posting with Elon Musk’s account continuing to broadcast the same Bitcoin request for several hours. The company released a statement that afternoon warning that Twitter users might be prevented from tweeting or resetting their passwords while it worked to mitigate the impact of the attack. Consequently, the majority of verified Twitter users were temporarily unable to post from their accounts and government agencies including the National Weather Service could not communicate important news and alerts.
Suggesting the breach was possibly the worst ever suffered by the company, SocialProof Security CEO Rachel Tobac declared, “We are lucky the attackers [were] going after Bitcoin and [were] not motivated by chaos and destruction.” However, Twitter admitted that the hackers downloaded the data (including private messages) for at least eight accounts, causing many to speculate on an ulterior motive. The criminals also used the breach to transfer ownership of several highly sought-after “OG” accounts, including the handle “@6”. The FBI is currently investigating exactly how and why they accessed Twitter’s systems.
Though insider threats are nothing new, the coronavirus pandemic has seen them become increasingly widespread. Michael Hamilton, former CISO for the City of Seattle, claims the economic downturn has resulted in more employees accepting bribes in return for inside information. In the wake of the breach, Twitter will need to carefully review user access to various tools and systems to avoid a repeat attack. The company has also vowed to educate employees on how to recognize and avoid social engineering attacks launched by cybercriminals.
At Soteria, we keep pace with all the latest evolutions in the digital threat landscape and offer a range of solutions designed to mitigate cybersecurity risks such as insider threats. Our cybersecurity awareness product, Cywareness, teaches employees how to prevent, detect and deal with some of the most common threats to company and personal data. Contact us today to find out more.