Twitter has confirmed the long-suspected attack vector that was used by hackers to compromise the internal systems of the microblogging platform.
The Twitter hack in mid July saw the personal accounts belonging to some very public figures and corporations including Elon Musk, Jeff Bezos and Bill Gates, as well as corporate accounts from Apple and Uber, tweeting a bitcoin scam that offered to double people’s bitcoin payment.
So serious was the compromise that CEO Jack Dorsey issued an an immediate apology for the “co-ordinated” attack that targetted Twitter staff “with access to internal systems and tools”.
Twitter revealed that the hackers had targeted 130 Twitter accounts, including Kim Kardashian, Kanye West, Barack Obama, Joe Biden, and Mike Bloomberg, and had downloaded mass data from eight accounts, and had read the private DMs (direct messages) of 36 Twitter accounts.
Twitter had confirmed in the days after the attack that its internal systems that had access to these high profile accounts had been compromised.
Security experts at the time were quick to suggest that a spear-phishing attack was responsible.
And this suspicion has been borne out, after Twitter confirmed this week that the large hack had targeted a small number of staff through a phone “spear phishing” attack.
The confirmation that the attackers had targeted specific staff who had access to account support tools, forced Twitter to subsequently restrict internal access to its internal tools and systems.
“The attack on July 15, 2020, targeted a small number of employees through a phone spear phishing attack,” Twitter support confirmed. “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”
The platform expanded upon this in its ongoing blog post on the incident.
“A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools,” said Twitter.
“Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes,” it added.
“This knowledge then enabled them to target additional employees who did have access to our account support tools,” said Twitter. “Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter concluded. “This was a striking reminder of how important each person on our team is in protecting our service.”
The admission that social engineering was at the centre of the Twitter compromise, brought a quick response from security professionals.
“As suspected, this breach resulted from social engineering – hackers preying on human vulnerabilities,” said Stuart Reed, UK director at Orange Cyberdefense.
“Technical countermeasures against phishing attempts and detecting malicious activities today are much more robust than they have been in the past,” said Reed. “The human, on the other hand, is more complex and hard to predict in certain scenarios while easy to manipulate in others. It is vital organisations employ a layered approach of people, process and technology for optimal cybersecurity.”
“This incident underlines the critical importance of awareness and education among employees and the role they play in good data hygiene – cybersecurity is not the sole concern of an individual or a function, it is a shared responsibility of all,” Reed concluded.
Another expert warned about how sophisticated some of the successful spear phishing campaigns have become.
“Spear phishing is incredibly successful because when executed professionally it can fool even the most savvy of people,” explained Jake Moore, cybersecurity specialist at ESET.
“When someone is targeted over an email there is a decent success rate, but when the threat actor uses a phone call to convey the attack, they can trigger more vulnerable points and play on emotion,” said Moore. “The wording is cleverly used, coupled with tone and a professional-sounding voice. People may not even notice they are under attack, and tend to be less cautious to hand over credentials or other private information.”
“People are reminded to remain alert as con artists will use a variety of threat vectors and are appearing more legitimate than ever,” Moore concluded.
Training is key
Another expert noted that staff training is key to combating this particular attack vector, but many organisations do not offer it.
“Spear-phishing, as a tactic is becoming increasingly popular with cyber-criminals,” said Carl Wearn, head of e-crime at Mimecast. “Our recent State of Email Security report found that 44 percent of UK respondents said that targeted spear-phishing attacks have increased in their organisation over the past 12 months.”
“Shockingly, our research found 56 percent of organisations do not provide awareness training on a frequent basis, which is leaving organisations incredibly vulnerable,” said Wearn. “The potential reputational damage organisations can suffer as a result of attacks such as this one, far outweigh the financial cost of proper training.”
“During the ongoing pandemic the maintenance of cyber-hygiene through strong passwords, the use of multi-factor authentication and clear processes of chains of authorisation are good practice and likely to be key to maintain any organisations integrity with large numbers of people working remotely,” advised Wearn.
“It is critical that the human dimension is considered a key facet of any layered approach to security and that appropriate investment is made to ensure individuals are equipped to make the best decisions and maintain your organisation’s security,” said Wearn.
“Key senior personnel, who can authorise the movement of large sums of money may well be researched via social media and other sources by more sophisticated threat actors and it is important not to overshare on social media or via other online sources if you are in a position of significant seniority or trust,” he concluded.
Do you know all about security? Try our quiz!