Drew Angerer/Getty Images
show image

Laurie Clarke

Reporter

How did the Twitter hack really go down?

Twitter has announced that the major hack it suffered this month – which compromised the accounts of some of the most high-profile people in the world – was the result of a successful phone spear-phishing campaign.

The company said in a tweet: “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”

In a fuller update, the company stated that the attack “required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools.” The company said not all of those targeted had permission to access account management tools, “but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools.”

The hack compromised the accounts of high-profile users including Bill Gates, Joe Biden and Kim Kardashian West, to share a scam asking people to send money to a Bitcoin account. The hackers appeared to raise more than $100,000 from the scam. In its most recent update, Twitter said that the attackers targeted 130 Twitter accounts, tweeted from 45, accessed the direct message inbox of 36, and downloaded the Twitter data of seven.

Twitter said it would share a more detailed technical report at a later date due to the ongoing FBI investigation into the hack, as well as focusing on the immediate need to bolster its security protocols.

On this matter, the company said: “We have zero tolerance for misuse of credentials or tools, actively monitor for misuse, regularly audit permissions, and take immediate action if anyone accesses account information without a valid business reason. While these tools, controls, and processes are constantly being updated and improved, we are taking a hard look at how we can make them even more sophisticated.”

Motherboard reported shortly after the attack that the hackers had managed to persuade a Twitter insider to carry out the job for them. “We used a rep that literally done all the work for us,” one of the sources told Motherboard, while another said they paid the employee.

But this latest announcement from Twitter throws doubt on this version of events. “It wasn’t a great surprise what [Twitter] came out with in their investigation – Occam’s razor being what it is,” says Alan Woodward, professor of cybersecurity at the University of Surrey. (Occam’s razor refers to the theory that the simplest explanation is likely to be the correct one.) “I was always slightly dubious about the reports of an insider threat [….] The fact that they were phished was much more likely,” says Woodward, noting that more than 90 per cent of successful penetrations into a company’s systems result from a human element.

“If somebody at Twitter had been bribed, of course, I imagine Twitter would be quite reticent to say anything […],” says Woodward, but he adds that now the company has publicly announced that it was a spear-phishing campaign, this reduces the possibility it was a case of bribery, “because if that came out later on, that will just look like a cover up”.

The New York Times reported that a hacker called “Kirk” initially approached people on Discord about the hack and claimed to work for Twitter by demonstrating that they had high-level access to accounts. However, the article says that the hacker he first approached decided that this was probably a lie “because he was too willing to damage the company”.

“There’s quite a significant insider threat, but for insiders it tends to have to be worthwhile because they’re quite likely to get caught,” says Woodward. It’s unlikely an obvious Bitcoin scam would be persuasive enough to tempt a Twitter employee to break the law.

The fact it was a spear-phishing campaign means that there was an element of targeting involved, and the hackers had likely carried out research into which employees might have had access to the internal tools they wished to exploit.

Woodward says this raises questions about how well reinforced the security processes were. “Did they have proper two-factor authentication on the accounts for example? Because phishing is normally very difficult if you’ve got multi-factor authentication,” he says.

“Measures an organisation can take against phishing include authenticating in-bound emails,” says Kevin Curran, professor of cyber security at Ulster University. “This helps as many phishing attacks also contain malware attachments. Implementing a Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain Message Authentication Reporting and Conformance (DMARC) can help guard against spear-phishing and other attacks coming through spoofed email.”

Steps can also be taken to guard against insider threat: “The preventative precautions generally involve some sort of artificial intelligence which monitors for unusual activity among users of a system,” says Curran. “This is not easy, but over time, such systems can become more accurate.

“There is also the question of ‘least privilege’ which is best practice in cyber security. Least privilege basically means that users should only be granted access to the bare system resources needed for them to do their job.”