- After Twitter suffered a massive attack on Wednesday that took over dozens of high-profile verified accounts and stopped the site, the search began to identify the culprits.
- Many assumed that the scale of the hack meant it was carried out by sophisticated actors like a nation-state, but new findings from researcher Brian Krebs and cybersecurity firm Unit 211B suggest that the heist may have been led by a relatively small group. sophisticated young hackers.
- Investigators identified an account that, in the days leading up to the robbery, showed on Twitter and in hacker forums that it could carry out the type of attack that unfolded on Wednesday. The account belongs to a 21-year-old from Liverpool, United Kingdom, named Joseph James Connor.
- It’s unclear whether Connor acted alone or with others to carry out the attack on Wednesday, and cybersecurity experts told Business Insider that hackers likely have more plans in store.
- Visit the Business Insider home page for more stories.
Cybersecurity investigators revealed that the massive hack that compromised dozens of verified Twitter accounts on Wednesday was carried out not by a sophisticated nation-state actor, as some thought, but by a group of young hackers.
The heist apparently started when the Binance cryptocurrency exchange tweeted that users who sent bitcoin to a specific address would receive even more bitcoin in return. Within minutes, similar messages were sent from the accounts of Bill Gates, Tesla CEO Elon Musk, Amazon CEO Jeff Bezos, President Barack Obama, and Kim Kardashian West, urging people to send bitcoins to the link. in exchange for more bitcoins.
The fraudulent tweets continued to appear for over an hour with Twitter seemingly unable to stop them. In many cases, tweets were quickly removed, only to send similar tweets minutes later. Twitter finally blocked tweets from all verified accounts for approximately 30 minutes as it tried to take control of the situation.
Before the order was reset, more than 13 bitcoins, or roughly $ 117,000, seemed to be transferring to the linked bitcoin wallet in the malicious tweets.
Twitter said in a statement Wednesday night that it had evidence suggesting that hackers attacked Twitter employees using social engineering to “access internal tools and systems.”
“We know that they used this access to take control of many highly visible accounts (including verified ones) and tweet on their behalf. We are investigating what other malicious activity they may have performed or information they have accessed and we will share more here as we have it. “Twitter said in the statement.
It is the most far-reaching hack in Twitter history, but cybersecurity experts began to point to indicators that the attack was not carried out by a well-funded piracy operation or by a sophisticated nation-state actor. On the one hand, its scope was apparently not ambitious: attackers could have taken advantage of access to mass accounts to disrupt the stock market, influence elections, or even attempt to start a war. And the amount of money stolen through the bitcoin scam is relatively small given the level of access. Some experts saw the noisy hack as a sign that a more dire attack may have taken place simultaneously.
Now, researcher Brian Krebs and cyber security firm Unit 211B are showing new evidence showing users bragging on hacker forums and on Twitter that they could compromise any Twitter account in the days leading up to the attack.
A person on the OGusers account hijacking forum said in a post days before Wednesday’s hack that they could compromise any Twitter account, offering to sell account access for prices ranging from $ 250 to $ 3,000, according to Krebs’ findings. Before that, at least two Twitter accounts, @shinji and @b, posted screenshots of Twitter’s internal tools. Motherboard reported Wednesday that internal tools can be used to change the email address associated with an account and take over the account without notifying the original owner of the account.
Citing a source who works security at a US-based mobile phone operator, Krebs traced Twitter identifiers @shinji and @ba to a well-known hacker who uses PlugWalkJoe.
PlugWalkJoe is known for SIM swap attacks or robberies in which hackers bribe or trick employees of mobile phone operators into giving them control of someone else’s cell phone number to compromise their other accounts. PlugWalkJoe is also affiliated with ChucklingSquad, a group of SIM exchangers believed to be behind Twitter CEO Jack Dorsey’s 2019 hack.
According to Krebs security sources, PlugWalkJoe is a 21-year-old from Liverpool, United Kingdom, named Joseph James Connor, who currently lives in Spain. The source told Krebs that an undercover investigator recently convinced Connor, who operated under her command PlugWalkJoe, to accept a video call, which featured a background in the background that Connor had also posted on her Instagram.
It is unclear whether Connor acted alone or with others to carry out the attack on Wednesday, nor is it clear whether the attack has run its course. The details of the hack suggest that the attackers could have seen the direct messages of each compromised account, which in theory could be used for lucrative blackmail schemes.
Twitter now faces demands from state and federal lawmakers to further explain how the accounts were compromised and why it took so long to regain control. Both the FBI and New York state regulators opened investigations into the attack on Thursday, and the Senate Select Committee on Intelligence said it would request information from Twitter.
And cybersecurity experts told Business Insider that the attack is probably not over.
“In security, you are paid to be paranoid,” Kevin O’Brien, CEO of cloud email security company GreatHorn, told Business Insider on Thursday. “And paranoia says something else happened at the same time, or that these accounts were accessed in much more damaging ways.”
