Nation-States Pay Insiders Handsomely for Long-Term, Stealthy Access
July 22, 2020
Following Twitter’s Saturday admission that someone subverted its employees to gain control of 45 high-profile Twitter accounts, one reaction has been: Why didn’t anyone crack Twitter sooner?
Indeed, the vulnerability exploited by attackers, Twitter confirmed, was nothing more than social engineering, after which at least some of the attackers tried to cash in by using the seized accounts – for Bill Gates, Jeff Bezos, Elon Musk and others – to push cryptocurrency scams. But despite the potential, the attackers saw just $121,000 worth of bitcoins flow to their cryptocurrency wallets. And good luck cashing them out, with law enforcement agencies keen to see where those bitcoins go (see: Twitter Hijackers Used Well-Honed Fraudster Playbook).
Socially engineering employees, then using their access to spread cryptocurrency scams, is the cybercrime equivalent of a bunch of drunk teenagers stealing a Porsche, then doing donuts at midnight in the parking lot of a police station.
Unfortunately, however, the answer to why hasn’t this happened before is that it has.
It was just last November when the U.S. Department of Justice charged three men with perpetrating a campaign to infiltrate Twitter and spy on critics of the Saudi government. Instead of the Saudis pushing cryptocurrency scams, they potentially used the information gleaned from Twitter to kidnap or assassinate critics.
Saudis Allegedly Bribed Twitter Insiders
Of course, there are other key differences.
As alleged in the U.S. indictment, the Saudis didn’t attempt to use phishing messages to steal employees’ access credentials. Instead, they allegedly convinced two now-former Twitter employees – Ali Alzabarah of Saudi Arabia and Ahmad Abouammo of Seattle – “to use their employee credentials to gain access without authorization to certain nonpublic information about the individuals behind certain Twitter accounts,” the Justice Department says.
They would have been well-placed for such efforts: Alzabarah worked as a site reliability engineer, while Abouammo worked as Twitter’s media partnership manager for the Middle East and North Africa, or MENA, from Nov. 3, 2013, to May 22, 2015, and “was involved in assisting notable accounts of public interest, brands, journalists and celebrities for the MENA region with content, Twitter strategy and sharing best practices,” according to a criminal complaint.
In return for sharing information with the Saudis – including more than 6,000 Twitter users’ private details – both men allegedly received goods and payments in return for their services. Prosecutors, for example, say a $100,000 wire transfer was sent to a close relative of Abouammo’s in Beirut, and that he also received a Hublot Unico Big Bang King Gold Ceramic watch worth $20,000. In an apparent operational security fail, he attempted to sell the watch via Craigslist.
Cryptocurrency Scammers Socially Engineered
So while the alleged Saudi operation was used to gather intelligence on critics, and potentially also to silence those critics, the Twitter cryptocurrency scammers exhibited less nefarious intentions last week. Whether their OPSEC was any better, however, remains to be seen.
Last week’s attack succeeded, in part, after “the attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections,” Twitter says. For 45 of 130 accounts they targeted, “the attackers were able to initiate a password reset, login to the account and send tweets.”
The social network hasn’t provided full technical details of the attack or its remediation, but says it may do so in the future, if it doesn’t compromise its new defenses. Twitter also noted that it will be “rolling out additional company-wide training to guard against social engineering tactics to supplement the training employees receive during onboarding and ongoing phishing exercises throughout the year.” Clearly, social engineering and phishing attacks remain a threat, including for Twitter.
But targeting and somehow socially engineering employees, then using their access to spread cryptocurrency scams, is the cybercrime equivalent of a bunch of drunk teenagers stealing a Porsche, then doing donuts at midnight in the parking lot of a police station. It’s noisy, invites attention and has no obvious coup de grâce, unless one of the teens has a relative who owns a chop shop.
Cashing Out Remains Tough
In the online-attack realm, few random criminals would have a direct connection to China’s People’s Liberation Army or Russia’s GRU military intelligence agency, as British security researcher Marcus Hutchins (@MalwareTechBlog) has noted. Furthermore, while subverting accounts to use them for cryptocurrency scams might be fraud – punishable under the U.S. Computer Fraud and Abuse Act – trying to make a deal with a foreign intelligence agency begins to look like espionage.
Random cybercriminals don’t just have direct lines to the PLA or GRU. Assuming by some miracle they did manage to reach out and broker a deal, the charges they’ll end up facing for conspiring with foreign intelligence will make felony CFAA violations look like parking tickets. pic.twitter.com/KH2dQZqDYb
— MalwareTech (@MalwareTechBlog) July 20, 2020
Suspicion about who was behind the Twitter cryptocurrency scam incident has centered on some participants in OGUsers, an online forum and marketplace for buying and selling so-called “original gangster” names. These OG names are desirable because they’re short.
One early victim of individuals who act on such impulses was journalist Mat Honan, who was hit by a “life hack” in 2012 that resulted in his Google account being deleted, all of the data on his iPhone, iPad and MacBook being remotely erased, and his “@mat” Twitter account seized and used to issue racist and homophobic messages (see: Real Hackers Wield Social Engineering).
Honan managed to make contact with his attacker, who called himself “Phobia.” in return for agreeing to not press charges. Asked why he did it, Phobia “said the hack was simply a grab for my three-character Twitter handle,” Honan wrote after the attack. “That’s all they wanted.”
While three-letter usernames might be valuable, Allison Nixon, chief research officer at Unit 221B, tells my colleague Jeremy Kirk that one-letter usernames are “the holy grail of the OG community.” One of the Twitter accounts compromised last week, for example, was “@6.”
Some reports into the Twitter hack have suggested that it was the work of a group, and that one or more of the participants “went rogue,” deciding to attempt to use the high-profile accounts to turn a cryptocurrency profit. So unless attackers’ OPSEC was golden, stay tuned for law enforcement following the money, unmasking suspects and filing charges (see: One Simple Error Led to AlphaBay Admin’s Downfall).
Insider Risk Continues
In the bigger picture, last week’s security failure at Twitter points to the clear and present danger posed to organizations by insiders, whether they’re outright malicious, have been bribed or coerced, or their credentials have been stolen and put to work by others (see: 7 Takeaways: Insider Breach at Twitter).
As the OPSEC expert known as the Grugq said via Twitter last November: “The cost of turning an insider will be cheaper than breaching the external side.”
Anticipating such a security challenge, of course, remains the purview of an effective insider risk management program. “What we try to focus on are, what are the potential motivators of an insider who may go on to intentionally harm an organization?” Randy Trzeciak, director of Carnegie Mellon University’s National Insider Threat Center, recently told my colleague Suparna Goswami (see: The Insider Threat: A Growing Concern). “The goal is to prevent the impact to the organization. If we can’t prevent, we need to detect as early as possible.”
Trzeciak says general IT defenses – tools, technology and processes, for example, to spot intrusions and data-exfiltration attempts – can help. To battle malicious or subverted insiders, he recommends using data loss prevention tools, encrypting data at rest or in transit, as well as implementing more advanced tools, such as user and entity behavior analytics, that are purpose-built to spot suspicious insider activity.
Having a robust and effective insider risk management program remains essential. Last week’s attack against Twitter was noisy, and it quickly came to light. Unanswered, however, is this bigger question: How many low, slow and quieter attacks leveraging insiders remain underway at Twitter and other Silicon Valley firms? Because for well-resourced nation-states, bribery remains cheap, effective and – too often – tough to spot.