On the evening of July 15, 2020, Twitter users watched one of the most high-profile attacks to occur in years unfold in real-time as imposters sent a series of fraudulent Tweets from the accounts of about 130 celebrities, politicians, and tech industry luminaries. Tweets that promised to provide $2,000 for every $1,000 sent to a Bitcoin address. There are a number of important lesson here for all enterprises, but one that especially stands out.
According to the government criminal complaints, the attackers garnered more than 400 transfers totaling over $100,000. The complaints also confirmed what many already suspected and that the Twitter attack was a mix of technical and social engineering tactics. And the complaints also revealed that one of the three charged allegedly gained access to Twitter applications on May 3, 2020 — especially notable being a Twitter Slack workspace, and then used that access to work deeper into Twitter’s systems.
According to Twitter’s ongoing blog updates on the incident, the attackers then, to gain access to internal systems, targeted a select group of employees with a phone spear-phishing attack. They hoped to obtain the credentials they needed to access those systems used to manage user accounts. While “not all the employees that were initially targeted had permissions to the user account management tools, the attackers did manage to used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools,” Twitter explained.
Using those credentials, Twitter wrote, the attackers were then able to access the internal Twitter account management and support tools that made the attack possible. According to Twitter, access to accounts is “strictly limited and is only granted for valid business reasons.”
“We have zero tolerance for misuse of credentials or tools, actively monitor for misuse, regularly audit permissions, and take immediate action if anyone accesses account information without a valid business reason. While these tools, controls, and processes are constantly being updated and improved, we are taking a hard look at how we can make them even more sophisticated,” the company continued.
This was not the first time Twitter fell to a high-profile insider attack. In November 2019, The U.S. Department of Justice accused a pair of former Twitter employees of using their account privileges to spy on Twitter users and provide that information to the government of Saudi Arabia. The criminal complaint described it being relatively easy for the insiders to abuse their access at the time. While the legal fate of the accused remains unclear as the U.S. seeks to drop charges against former Twitter employees accused of spying for Saudi Arabia, according to reporting from The Verge. [get compliant]
At the time, in a statement, Twitter said that the company “limits access to sensitive account information to a limited group of trained and vetted employees” and that they “have tools in place to protect their privacy and their ability to do their vital work.”
The attack of July 15 shows the company has more work to do, and since the recent attack, Twitter has promised to do just that. In their statement, they said that they’re looking for ways to improve. “We’re always investing in increased security protocols, techniques, and mechanisms — it’s how we work to stay ahead of threats as they evolve,” Twitter said. “Going forward, we’re accelerating several of our pre-existing security workstreams and improvements to our tools. We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams. We will continue to organize ongoing company-wide phishing exercises throughout the year,” the company said.
Twitter added that the attack, which relied heavily on social engineering techniques, was a “striking reminder of how important each person on our team is in protecting our service. We take that responsibility seriously, and everyone at Twitter is committed to keeping your information safe.”
“We will continue to share updates and precautionary steps we take so that others can learn from this, too. We recognize the trust you place in us and are committing to earning it by continued open, honest, and timely updates anytime an incident like this happens,” Twitter continued.
As the world’s real-time wire service, Twitter does need to do a better job at stopping such attacks. But to be fair, this attack could have been much worse not just because the attackers could have used their access for something much more nefarious than Bitcoin fraud, because they could have. They could have used access to the VIP accounts to spread disinformation and potentially fuel who knows what confusion and mayhem. But Twitter itself responded relatively well. The number of breached accounts was limited to 130, as was the number of accounts that had their data accessed. Had Twitter not managed to shut down the attackers (by taking several dramatic steps, such as blocking access for verified accounts), the attack could have been much worse and persisted much longer.
There are several lessons here for enterprises, but one sticks out in particular to me. Yes, enterprises need to do the best they can when it comes to reducing access to privileged accounts. And they need to monitor users and applications for anomalous behavior. And privileged accounts, or those accounts with enhanced access, should be protected with multifactor authentication. And users certainly need security awareness training and be regularly reminded to remain on-guard. And it seems Twitter was doing most if not all these things.
That makes the Twitter breach a reminder that enterprises can do all of these things, and do them reasonably effectively, and still be breached. This makes it essential that enterprises not only take these defensive steps but to also have an incident response plan in place, along with the ability to execute on that plan because despite all the precautions, whatever can go wrong, at some point, will go wrong.