Twitter / WIRED
The 37 million followers of Elon Musk on Twitter might well have bought the proposal, briefly. The Tesla and SpaceX founder had seemingly tweeted that any bitcoin sent to a particular wallet would be returned – with the amount doubled. But when three minutes later Democratic presidential nominee Joe Biden tweeted out exactly the same message – then Barack Obama a little later, alongside Kanye West, Jeff Bezos, Kim Kardashian and the accounts of Uber and Apple – it became even more obvious that something wasn’t right.
Within five hours at least 375 transactions were made, sending bitcoin worth more than $120,000 to the wallet mentioned in each of the tweets, according to bitcoin software provider Chainalysis. Two other wallets that were also used in similar tweets posted by verified accounts logged a further 100 transactions, and transferred a further $6,700 in cryptocurrency. “They knew this was a bit of a smash and grab, because they knew someone was going to spot it very quickly,” says Alan Woodward, professor of cybersecurity at the University of Surrey. All told, it wasn’t a bad day’s work for the people responsible for the hack.
For Twitter, it was a disaster. Founder and CEO Jack Dorsey called it a “tough day for all of us at Twitter”. In fact, it was arguably the worst cybersecurity incident the company has ever faced. Twitter claims a co-ordinated social engineering attack targeted a handful of employees with access to administrative tools that allowed them to take control of high-profile accounts and tweet on their behalf. “We’re looking into what other malicious activity they may have conducted or information they may have accessed,” the company added.
“This never happens,” says Mikko Hyppönen, chief research officer at F-Secure, a cybersecurity firm. “This is the single biggest security incident in Twitter’s history.” The company’s attempt to stymie the attack was more of a blunt force response than a carefully tailored takedown of the incursion – things can get messy when an attack is happening in real-time. Every verified account was stopped from posting tweets for several hours while the company identified what had gone wrong, while it also blocked people from sharing the specific addresses of the bitcoin wallets that were being promoted.
The incident demonstrated the immense power that administrator accounts have over social platforms such as Twitter. Various reports indicate that the attackers may either have paid off a Twitter employee able to access the administrative dashboard that would allow them to post tweets from accounts, or used social engineering – such as a spear phishing attack – to gain access to the dashboard. They then appear to change the email address to which password reset messages are sent in at least once instance to reset the password to accounts and gain access.
That overwhelming power is a concern, says Victoria Baines, a cybersecurity researcher and visiting research fellow at Oxford University. “Having admin access to an account and being able to take administrative actions like content removal and account locking should be a far cry from being able to pose as the account holder in order to post content,” she says. “It’s not uncommon to have support staff that are able to reset accounts and help users that have been locked out,” says Yonathan Klijnsma, a threat researcher at RiskIQ, a cyber security company. “What is odd is that support staff seemed to have been able to do this regardless of any controls.”
It’s also something Twitter has previously been criticised for in the past. In 2011 it settled with the US Federal Trade Commission for “serious lapses in the company’s data security [that] allowed hackers to obtain unauthorised administrative control of Twitter, including both access to non-public user information and tweets that consumers had designated as private, and the ability to send out phony tweets from any account” – eerily similar issues to the problem now. It’s highly likely that Twitter may face repercussions from regulators over the most recent incident too.
“We all got a taste of a coordinated digital attack,” says cybersecurity researcher Andrea Stroppa. Twitter struggled to quickly lock this down – though that isn’t surprising, says Hyppönen. “When you are in a network and have multiple administrators working on that at the same time, and one of them is the attacker, they all have the same rights,” he says. “You have multiple gods with the same access rights fighting with each other, and you can’t just find the attacker right away and kick them out.”
The limited access some accounts still have, more than a day after the attack was launched, is also down to an abundance of caution. “Attackers try to build their systems so when they’re detected they have a way of regaining access,” says Hyppönen. “Twitter is likely going through their logs to figure out what’s happening.”
Most worrying is that the intruders will have had access to all sorts of data beyond simply the ability to tweet. Hyppönen says they sent some direct messages trying to scam other users, that the attackers have been able to read and write direct messages as well.
“As soon as you have access to someone’s account, you can read their DMs on any device,” Woodward adds. “If you had proper end-to-end encryption, you would need the original device. That’s probably done by design – we log on to Twitter from various devices – but it is a concern.” Screenshots shared on groups on Discord show that lots of private information about users is also available through the administrator dashboard believed to have been used.
Yet on the face of it, Twitter has got off lightly from the attack – though opinions are mixed as to whether the bitcoin scam was the full extent of what happened. Stroppa says the timing of this hack is “interesting”. “We have the US elections in the coming months,” he explains. “We’re living a non-stop asymmetric war where groups, adversary countries and terrorists use the digital platforms for malicious activities. Every time we see a big story like this one, we feel confused.”
That’s something Woodward also wonders about. “Was it a diversionary attack? If someone has access enough to run those tools, what else could they be doing in there? I imagine there’s a lot of cleaning house going on, because they have to run around the networks and make sure it’s all okay. You literally could leave all sorts of things on there like remote access tools.”
Hyppönen is less certain that the bitcoin scam was a diversion so the hackers could squirrel away something that would grant them later access – nor does he think that any information was secreted away that could be used in the run-up to the US presidential election. “If you gain god level access to Twitter, are we really supposed to believe all they did was take out some bitcoins? I don’t think there is. The reason I don’t think so is the attackers didn’t just do the bitcoin scam. They did three separate ones.”
At the same time as tweeting out their bitcoin wallet, they were also taking over the Twitter accounts of major players in the world of bitcoin, and directing people to a private Telegram group, asking them to pay money to gain access – another scam. At the same time, they were also taking over so-called “OG” handles – valuable, short Twitter names that can earn large amounts when put up for sale. “That’s three completely different ways to monetise the access they had,” he says. “Would a nation-state, who’s trying to do something completely different, go to the trouble of all that to make a quick buck?”
That’s something that Allison Nixon, chief research officer at Unit 221B, a cybersecurity firm, agrees with in an initial assessment. “I suspect the perpetrators come from the ‘OG’ community, and bribing and coercing insiders is well within their MO,” she says. “It is a fact of life that poor people are easy to push around, and for the companies that fall prey to this, they give their customer service people a level of power that far exceeds the actual value of their pay cheques.”
“The fact they tried to monetise in all these work-intensive ways would tell me this is what they were trying to do after all, which would indicate it’s a juvenile gang that couldn’t figure out a better way to make money from this,” says Hyppönen. “They could have done anything, but this is what they did, and I think it wasn’t a cover story. I think we were lucky this is the best they could figure out.”
More great stories from WIRED
☢️ Nine years on, Fukushima’s mental health fallout lingers
🦆 Google got rich from your data. DuckDuckGo is fighting back
😷 Which face mask should you buy?
👉 Follow WIRED on Twitter, Instagram, Facebook and LinkedIn
Get The Email from WIRED, your no-nonsense briefing on all the biggest stories in technology, business and science. In your inbox every weekday at 12pm sharp.
Thank You. You have successfully subscribed to our newsletter. You will hear from us shortly.
Sorry, you have entered an invalid email. Please refresh and try again.