The really scary thing about the major hack
Twitter experienced on Wednesday, is not that security lapses on various platforms expose us all to unknown risks we have almost no way to defend against, nor the ease with which people can be deceived into handing over substantial sums of money. No, the scary thing is that the current case, in which hackers exploited a security loophole to commit Bitcoin fraud, is not the worst thing that it could have been used for.
This time, the loophole was exploited for simple financial fraud, but the intruder could have just as easily taken advantage of the access to accounts of world leaders to undermine the global political order, ignite national disputes, and even drag countries into significant conflict. Perhaps even, as some commentators suggested, to the point of nuclear war.
The attack began Wednesday night. A string of high-profile accounts, including that of former U.S. President Barack Obama, Democratic presidential candidate Joe Biden, Tesla CEO Alon Musk, philanthropist Bill Gates, businessman and entertainer Kenya West, former New York City Mayor Michael Bloomberg, Amazon CEO Jeff Bezos, and Apple's official account, all suddenly tweeted out a tempting offer.
The accounts all tweeted out variations of the same message: that the figures behind the verified accounts promised to pay people $2,000 dollars in exchange for $1,000 dollars in the virtual currency sent to their wallets, and that they were doing it to “give back to the community.”
The most obvious response should be, who is innocent enough to fall for such a clear scam? Well, given the popularity of the various accounts, which collectively include tens of millions of followers, you do not need anything too sophisticated to trap a significant percentage of the followers. A fraction of a percent of users who fall for the scam is enough to allow the hackers to rake in handsome sums of money. And that seems to be exactly what happened: according to reports, around $120,000 were transferred into the published wallet address before the scam was detected and the tweets were taken down. Not bad for 280 characters.
The second response should be asking what the hell happened here? How did hackers manage to break into so many prominent accounts all at once? In this case, it was not a failure on the part of the users, such as submitting a weak password, recycling a password, or falling target to a successful phishing attack. In this case, according to Twitter, the attack made use of the company's own internal tools.
“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” the company said in a series of tweets. “We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. Once we became aware of the incident, we immediately locked down the affected accounts and removed Tweets posted by the attackers. We also limited functionality for a much larger group of accounts, like all verified accounts (even those with no evidence of being compromised), while we continue to fully investigate this.“
Twitter did not elaborate on the tools employed by the hackers, but Motherboard reported that underground hacker forums shared screenshots of the company's internal management tools, which were allegedly used for the attack. The tools can change the email address associated with the account, thus resetting the password and gaining access to it. Hackers also claimed in a conversation with the technological news site that they paid Twitter employees to change the email address of the attacked accounts, although it is difficult to verify those claims.
So much for the attack itself, but what about the motives behind it? On the surface, the answer is simple: the opportunity for quick profits by exploiting innocent users. However, could it have all just been a front for a more sophisticated move? Twitter itself raised this possibility when it wrote that it was checking "what other malicious activity they may have conducted or information they may have accessed.”
Access to the account also gave the attackers access to the private messages in it, and these could include extremely sensitive political and business information, especially when it comes to accounts like those of Biden or Bezos. One is running for president of the United States and the other runs one of the largest companies in the world (and has been badly burned by previous revelations of his private information). It is not unlikely that their private messages include information that can cause them harm or serve political or business rivals.
Due to the nature of the breach—the email address and password were changed— the account holders would have discovered it in a short time, which would not have allowed hackers time to monitor the private messages. Running a Bitcoin scam can also work as a distraction from the real goals of the move: extracting and abusing sensitive information.
“I am concerned that this event may represent not merely a coordinated set of separate hacking incidents but rather a successful attack on the security of Twitter itself,” Republican Sen. Josh Hawley wrote to Twitter CEO Jack Dorsey. "As you know, millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service. A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.”
And this turn of events would not be the worst-case scenario either. The worst-case scenario is what the hackers could have done with broad access to prominent accounts, including accounts of key political figures.
“The threat here is not simply user privacy and data security,” as Casey Newton wrote in the Verge. “It is about the striking potential of Twitter to incite real-world chaos through impersonation and fraud. As of today, that potential has been realized. And I can only worry about how, with a presidential election now less than four months away, it might be realized further.”
“And that makes you wonder what contingencies the company has put into place in the event that it is someday taken over not by greedy Bitcoin con artists, but state-level actors or psychopaths. After today it is no longer unthinkable, if it ever truly was, that someone will take over the account of a world leader and attempt to start a nuclear war,” Casey went on to write.
This is not such a far-fetched scenario. Donald Trump has already used Twitter to send nuclear threats to North Korea. “North Korean Leader Kim Jong Un just stated that the ‘Nuclear Button is on his desk at all times,” Trump tweeted in January 2018. “Will someone from his depleted and food starved regime please inform him that I too have a Nuclear Button, but it is a much bigger & more powerful one than his, and my Button works!”
It's not hard to imagine a scenario where a hacker takes over the official account of Russian President Vladimir Putin, tweeting that he has just launched nuclear missiles at the U.S. And is there anyone who can say with 100% certainty that upon seeing such a tweet Trump wouldn’t respond by launching his own nuclear missiles? It may not be the most likely scenario in the world, but neither is it something that is out of the realm of possibility, especially when it comes to Trump.
And you don’t even have to go that far. One can cause quite a bit of damage by having leaders attacking their rivals on the global and local stage, and igniting violent conflicts. Or imagine that on U.S. election day, an hour before the polls close, Biden's Twitter account announces that he has decided to retire from the race and calls on his supporters to vote for Trump or not go to the ballots. Or even something less extreme, like a tweet from the Democratic party saying that due to unexpected reasons the vote was postponed.
The vast majority of people would not fall for such a scam, and it would quickly be exposed and refuted in the media, and the tweet will be removed, just as it was in this case. But for it to succeed not that many people need to fall for it. It is enough that only a few thousand naive users in a key swing state fall into the trap and stay home for the election results to be skewed.
The recent breach showed that such a thing is possible, not only in an individual account but in several accounts at the same time. Twitter will surely take all the necessary steps to make sure that this type of attack is not carried out again, but the nature of large systems is that they always have holes that can be exploited, and there is almost no way to plug them all. The next time hackers find such a hole, it could end up with something far worse than some suckers losing $120,000.