The good news about the Twitter hack is that it does not appear to have been orchestrated by a nation-state group. The bad news is that it appears a bunch of relatively unsophisticated teenagers managed to get access to the communications channels of some of the most powerful people on Earth. The apparent ringleader is a Florida 17-year-old with a history of running small-time scams in Minecraft and who had previously been investigated for theft of bitcoin.
In the days following the July 15 Twitter breach, stories from a number of major media outlets conflicted in details and theories about what had happened. It turns out that the New York Times report from July 17 was mostly on the right track, attributing the breach to a confederation of youngsters more interested in taking over and selling desirable Twitter handles than getting involved in geopolitics.
Twitter has confirmed the story and its blog posts sharing details about the investigation appear to have mostly been forthright and accurate. Though the transparency is welcome, it also confirmed that relatively low-level employees at Twitter have a potentially dangerous level of access to prominent accounts.
Postmortem of the most significant Twitter hack in history
Graham Ivan Clark, the alleged ringleader of the Twitter hack, got his start in online fraud by cheating other Minecraft players out of their accounts. He had a particular focus on obtaining accounts with desirable usernames. Clark moved on from this to cryptocurrency, and was implicated in the 2019 theft of 164 bitcoins (about $856,000) from Seattle tech investor Gregg Bennett.
Clark’s limited range of prior experience explains the seemingly odd focus on relative trivialities during the Twitter hack. It was an inexperienced minor sticking to what he was familiar with: valuable usernames and cryptocurrency.
The Secret Service visited Clark in regard to the theft of bitcoin from Bennett earlier this year, but apparently opted not to charge him as he was a minor. The FBI investigation indicates that Clark started working on his scheme to breach Twitter only two weeks after that visit. He began by searching LinkedIn for Twitter employees that might have high-level access to user accounts, using tools intended for job recruiters.
Clark was apparently able to convince a Twitter employee that he was a co-worker in the company’s IT department, and obtained login credentials for the customer service portal from this person. He initially focused on obtaining and selling high-value usernames, recruiting several accomplices via the OGUsers forum. The US Department of Justice has also charged 19-year-old Mason Sheppard of the United Kingdom and 22-year-old Nima Fazeli of Orlando along with an unidentified minor in California. The accomplices created the bitcoin wallets used in the attack but were apparently no more sophisticated than Clark, quickly tracked down by investigators after using their personal driver’s licenses to register associated accounts with Coinbase and Binance.
Though the primary focus was obtaining and selling usernames, Clark got the idea to “add value” by running a bitcoin scam through the accounts of famous individuals ranging from former president Barack Obama to Kanye West. This appears to have brought in an additional $117,000, but also very quickly alerted both Twitter and the general public that a major breach was underway.
Clark has been charged with organized fraud, communications fraud, fraudulent use of personal information and accessing a computer without authority. Florida allows minors to be charged as adults for certain types of financial crime. Clark’s associates have additionally been charged with conspiracy to commit wire fraud.
Though Clark is thought to have downloaded the Twitter data and accessed the DMs of at least several high-profile accounts, it appears that he was not technically sophisticated enough to leave a backdoor for future access or do any other sort of lasting damage. While it is prudent for users to change their passwords out of an abundance of caution, it does not appear that the hackers gained access to any accounts beyond the estimated 130 that they paid special attention to. Those users should have received a special notification about the Twitter hack at this point.
Nevertheless, he exposed some serious vulnerabilities at the social media giant. Casey Kraus, President of Senserva, provided some perspective on the internal organizational issues that created the opening for the Twitter hack: “What caught my eye about Twitter’s blog post was this statement, ‘A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools’ … This shows the focus that companies need to have on employee credentials, access, and administrator role assignments. Having the ability to identify high security risk users and possible shadow administrators can help reduce the attack surface in situations like this.”
The Twitter hack raised serious questions about how many employees had direct access to user DMs and the ability to tweet from their account; that is still not entirely clear, but it appears that vulnerability to phishing is endemic within the organization and that MFA is not adequate to protect accounts from internal compromise. Chloé Messdaghi, VP of Strategy for Point3 Security, believes that this vulnerability may be an artifact of relaxed work-at-home rules brought on by the Covid-19 pandemic: “Think about it: now more than ever, if someone gets a text on their mobile from a boss who doesn’t usually reach out that way, they’re likely to chalk it up to the interoffice lines of communications that have been blurred and rewritten by the Pandemic. And if an employee is then asked by someone purporting to be their boss with a message saying “we have a serious problem” and to please call a helpdesk number immediately, they’re more likely to comply before thinking things through – again, because the Pandemic has made people overwhelmed and eager to respond to security threats … On top of that, mobile is a much better way to phish someone versus laptop computing – studies say that even well informed users are 3x more likely to fall for a phishing link on a small screen vs. a desktop, because it’s harder visually and logistically to double check a link.”
As James McQuiggan, security awareness advocate at KnowBe4, points out, the company will need to get on top of the issues exposed by the Twitter hack immediately as these teens have laid out a roadmap for future breaches: “One concerning notion will be that if a few young adults were able to conduct this type of attack, how will nation-states and other large cybercriminal groups replicate a similar social engineering attack against other organizations … Organizations can use security awareness and training programs to educate their employees about social engineering via email, phone, or in person. These programs support the overall cybersecurity program and, combined with technology systems, prevent cybercriminals from exploiting human nature and attempting to gain access to sensitive systems for theft, exploitation, or blackmail.”