Leigh Prather - stock.adobe.com

Twitter confirms it was hit by targeted spearphishing attack

Investigation into 15 July 2020 hack of a number of high-profile accounts by cryptocurrency scammers has found evidence of a targeted spearphishing incident

Twitter’s investigation into a serious cyber attack that took place earlier in July 2020 has found that cyber criminals gained access to its systems through a well-planned and carefully targeted social engineering spearphishing attack on Twitter’s own employees.

The attack took place over the phone, using a technique known as vishing, and succeeded in gaining specific employee credentials that let the attackers gain access to Twitter’s internal support tools. From there, they targeted higher-level employees who had access to critical account support tools.

With this level of access, they were able to take control of 130 Twitter accounts, tweeting malicious messages from 45 of those, accessing the direct message (DM) inbox of 36, and downloading the Twitter data of seven.

“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” said a Twitter spokesperson via a disclosure blog. “This was a striking reminder of how important each person on our team is in protecting our service. We take that responsibility seriously and everyone at Twitter is committed to keeping your information safe.

“We’ve communicated directly with the impacted account owners and worked to restore access to any accounts that may have been temporarily locked during our remediation efforts. Our investigation is ongoing, and we are working with the appropriate authorities to ensure that the people responsible for this attack are identified.”

Twitter acknowledged that the incident had raised concerns about its tools and levels of employee access. It said that on a day-to-day basis, its support teams do use a number of proprietary tools to assist in their work, but access to such tools is very limited and only ever granted for valid business reasons. The firm operates a zero-tolerance policy for misuse of these tools or credentials, and actively monitors and audits the permissions it grants.

However, clearly these safeguards failed to account for malicious actors moving laterally through its systems, so it said it would now be “taking a hard look” at how it can make these processes more sophisticated and secure.

“Going forward, we’re accelerating several of our pre-existing security workstreams and improvements to our tools,” said the firm. “We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritising security work across many of our teams. We will continue to organise ongoing company-wide phishing exercises throughout the year.

“We’re embarrassed, we’re disappointed and, more than anything, we’re sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice. We hope that our openness and transparency throughout this process, and the steps and work we will take to safeguard against other attacks in the future, will be the start of making this right.”

Read more about Twitter security

Stuart Reed, UK director at Orange Cyberdefense, said: “As suspected, this breach resulted from social engineering – hackers preying on human vulnerabilities. Technical countermeasures against phishing attempts and detecting malicious activities today are much more robust than they have been in the past. The human, on the other hand, is more complex and hard to predict in certain scenarios, while easy to manipulate in others.

“It is vital that organisations employ a layered approach of people, process and technology for optimal cyber security. This incident underlines the critical importance of awareness and education among employees and the role they play in good data hygiene. Cyber security is not the sole concern of an individual or a function – it is a shared responsibility of all.”

Analysis of the Twitter attack produced earlier this week by Atlas VPN found that the malicious tweets could have reached up to 382 million people, although there is clearly some overlap between followers of different accounts. Among the biggest accounts attacked were those of former US president Barack Obama, who is followed by 121 million people, or 37% of monetisable Twitter users, Kim Kardashian, followed by 66 million, and Bill Gates, followed by 51.3 million.

Read more on Hackers and cybercrime prevention