They are not the only ones looking for answers. So are members of Congress, cybersecurity experts and Twitter itself. The FBI is also involved: Officials said Thursday that they are investigating the incident, and police sources have told CNN that the agency is reviewing what appear to be screenshots of Twitter’s internal account management software circulating on the networks. social.
Former employee analysis focuses on the same software, a powerful tool that gives significant numbers of authorized Twitter workers the ability to manage high-profile accounts, including by viewing protected user information and even changing addresses linked email accounts, interviews with several former employees, all of whom spoke to CNN on condition of anonymity to discuss a former employer. Former employees concluded that hackers probably used the tool to access accounts and then reset passwords.
“There have been a lot of comparative notes, people refresh their memories and try to piece together how this happened,” said one of the people involved in the discussions. “It included some security people who tend to be the most creative thinking about ‘Well, if I was the bad actor, how would I do this?'”
Twitter declined to comment for this story.
Looking for clues
But that still doesn’t explain how hackers could take control of accounts. And a person close to the Biden campaign told CNN on Thursday that Twitter has not shared much more with the victims of the attack than it has released to the public.
Based on Twitter’s preliminary explanation and circulating screenshots, the former employees quickly concluded that the hackers had accessed an administrative platform known internally as “agent tools” or the “Twitter services UI”. This internal tool is designed for employees to handle customer service requests and moderate content, said a person familiar with Twitter security.
Hundreds of Twitter employees have access to agent tools, according to one of the people who participated in the discussions of the former employees. It is a powerful platform that can display the cell phone numbers of Twitter users if they have been registered with the company, as well as the users’ geolocation and any IP addresses that have been used to access the account, the person said.
Ashkan Soltani, a security expert and former chief technologist at the Federal Trade Commission, said it is not unusual for tech companies to have internal tools like these. While the exact characteristics and permissions may differ from one company to another, he said, the most important question concerns the extent of committed employee access.
“The question at the end of the day is, ‘What level of [employee] Was the account accessed? ‘”said Soltani.” And if it was a lower level account, is Twitter doing something to segment it correctly? [employee] superuser rights? ”
One of the most sensitive capabilities associated with the Twitter tool is the ability to change the email addresses to which Twitter sends instructions to reset the password. What probably happened, the former employees said, is that the attackers used the tool to change the email addresses associated with specific Twitter accounts, then sent instructions to reset the password to new email addresses under the control of the hackers. Once hackers were able to alter users’ passwords, they were able to log into Twitter accounts as if they were the rightful owners.
The attack could have happened right under the noses of the people whose accounts were taken. Many social media companies have built their user login systems to be frictionless, meaning that consumers rarely log out of an app after changing their passwords.
“So if you’re a celebrity, someone using this method might have changed your password, but you wouldn’t necessarily be locked out and you wouldn’t necessarily know it,” said a former employee.
In other words, hacked users could have been looking at their Twitter accounts as if nothing had changed.
In principle, security techniques like two-factor authentication are intended to thwart unauthorized logins. An account protected by two-factor authentication will ask users to provide not only a correct username and password, but also a verification code sent to a separate device that a legitimate user would control.
In this case, any two-factor authentication to the victims’ accounts could have been overlooked, the former employees said. One of the capabilities of the agent tools is the power to disable two-factor authentication, one of the people said. (According to Soltani, this type of capability, along with the power to change users’ email addresses, is often used by companies to help customers retrieve their accounts if they lose access to their cell phones or emails. electronic).
If the theory of former employees is correct, then all hackers had to do to take over these prominent accounts was to disable two-factor authentication if enabled, change the destination address to reset the password, then surreptitiously change the victims’ passwords and log in with the new credentials.
The person close to Biden’s campaign said that in the case of Biden’s account, no compromising messages were found. “I’ve seen the DMs there, and it’s nothing special,” said the person. “It’s all just about getting closer to the voters.”
How hackers gained access is still unknown.
While the nature of the attack is becoming clearer, what remains a mystery is how hackers gained access to the agent’s tools in the first place.
Twitter has attributed the security incident to “coordinated social engineering,” a term Michael Coates, Twitter’s former chief information security officer, said could encompass a variety of threats.
Access to the agent’s tools is limited by a series of safeguards, the former employees said.
“I can confirm that there are many layers of controls,” said Coates, speaking of Twitter’s internal systems in general. “There are analyzes, there are records, data science analyzes, minimal privileges – all of these things that you would expect in these systems.”
At least two other layers of protection are involved, according to former employees. Under normal circumstances, the agent tools are only accessible while employees are connected to the company intranet, which means they must be physically in the office or log in to the network via VPN. And to log into the agent tools, employees must provide their own corporate username and password.
It is unclear whether the pandemic may have led to remote work policies that could have made logging into agent tools easier, several former employees said. While it is a possibility, they acknowledged, there is no evidence that Twitter has relaxed their security in order to work from home. Twitter declined to comment on its remote work policies.
Even within agent tools, the roles of employees within the company can limit which user accounts they can access, one of the former employees said. For example, a person whose job is to handle requests for support from journalists may access journalist accounts, but perhaps not others. These limitations may help explain why hackers attacked a wide range of current Twitter employees.
Due to the activity logs that Twitter keeps on its employees, tracking which worker accounts accessed VIP accounts would be a trivial task, the former employees said. A more difficult challenge, one that would likely require police assistance, would be to determine whether the employees themselves were knowingly involved or whether they were simply used by unintentional accomplices as outsiders.
Investigators have also not ruled out the possibility of the nation-state participating in the attack, although for the moment there appears to be no evidence of it, according to a person familiar with the matter.
Alex Marquardt, Evan Perez, and Donie O’Sullivan contributed to this story.
.
