Who is behind Wednesday's epic Twitter hack?

Approx. Translated from krebsonsecurity.com by Brian Krebs, former journalist for The Washington Post and now an independent cybersecurity expert.



On Wednesday July 15th, Twitter plunged into chaos as the accounts of the world's most famous people, company directors and celebrities, began to link to fraudulent Bitcoin-collecting sites. Twitter says the attack was possible because someone tricked or coerced one of the company's employees into giving them access to the platform's internal administrative tools. In this article, I will attempt to timeline this attack and point out the evidence of who might be behind it.



The first evidence of the attack became visible to the public at about 3 p.m. EST (UTC-5; summer UTC-4), when a message appeared in the account of the cryptocurrency exchange Binance that the exchange had partnered with the organization CryptoForHealth with the intention to distribute 5,000 bitcoins to those in need. and also a link where people could send donations.



A few minutes later, similar tweets appeared in the accounts of other cryptocurrency exchanges, as well as in the accounts of US presidential candidate Joe Biden, Amazon head Jeff Bezos, former US President Barack Obama, Tesla CEO Elon Musk, former New York Mayor Michael Bloomberg and investor Warren Buffett.







It seems ludicrous that someone would really believe these requests and send them money, but analysis of the BTC wallet, which was advertised by many hacked accounts, showed that in the last 24 hours it processed 383 transactions and received almost 13 bitcoins, which is approximately equal $ 117,000.



Twitter released a statement that “a coordinated social engineering attack on some of our employees was detected, which resulted in access to internal systems and tools. We know that cybercriminals used the gained access to take control of many popular (including verified) accounts and post messages on their behalf. We are investigating what other possible malicious acts they may have committed or what information they could gain access to, and will share the results as soon as we get them. ”



There are strong indications that the attack was carried out by people who traditionally specialize in hacking social networks through "SIM swapping" - an increasingly common type of crime that includes bribery, hacking or coercion of employees of mobile operators or social networks in order to gain access to the victim's account.



Figures from the SIM swapping community love to intercept access to social accounts from the so-called. category "OG". OG, or original gangster, are short account names like @B orjoe... Having such an account increases the status, influence and social weight in the circles of hackers involved in SIM swapping, since sometimes you can get several thousand dollars for reselling such accounts.



In the days leading up to Wednesday's attack, there were signs on the Internet that some members of the hacking community were selling the ability to change the email associated with any Twitter account. In a post on the OGusers forum dedicated to hacking accounts, user Chaewon advertised the ability to bind a given email to any Twitter account for $ 250 and access to accounts for $ 2000- $ 3000.







“This is not a special method. If you are not given an email, we will refund your money. If the account gets banned, we are not responsible, "Chaewon wrote in a post titled" Twitter Spoofing Requests. "



Hours before the calls to donate bitcoins began to appear on the accounts of crypto exchanges and famous people on Twitter, attackers focused on hacking several OG accounts, including "@ 6".



The account was formerly owned by the late Adrian Lamo , known as the "homeless hacker" who hacked into the New York Times network and handed over to the US authorities Bradley Manning , a military man who handed over documents of varying degrees of secrecy to the WikiLeaks website. @ 6 is now run by Lamo's longtime friend, security researcher andphone phreaker who asked to be called Lucky225 in this story.



Lucky225 said that just before 2 p.m. ET Wednesday, he received a code to confirm the password reset for the @ 6 account via Google Voice. Lucky225 said that it had previously prohibited sending SMS notifications for multi-step authorization, and used time codes generated by the mobile application.



But since the attackers were able to change the email address associated with the @ 6 account and disable multi-step authorization, a one-time confirmation code was sent to his Google Voice account and to the new email registered by the attackers.



"The attack was carried out due to the fact that the administrative tools of Twitter, apparently, it is possible to update the email address of any user without sending him any notifications," said Lucky225. "Therefore, attackers could have avoided detection by first updating the account email and then enabling two-factor authentication."



Lucky225 said that he still has no way to check if any tweets were sent from his address after he was hacked, because he does not yet have access to it (he analyzed this whole episode in detail in a post on the website Medium ).



Around the same time that @ 6 was taken away, another account, @B, was taken over. Then someone started posting images of the Twitter admin area that showed the @B account.







Twitter responded by removing all screenshots of their internal tools from the platform and, in some cases, temporarily blocking accounts.



In one more account -shinji- also uploaded images of internal twitter tools. A few minutes before the ban, they posted a tweet urging them to subscribe to @ 6, an account that was stolen from Lucky225.







Here and here on the Internet Archive you can download cached versions of tweetsShinjibefore Wednesday's attack. They show that the user claims to own two OG accounts on Instagram - "j0e" and "dead".



A security source from one of the largest US mobile operators told us that the "j0e" and "dead" accounts are tied to a notorious SIM swapping hacker nicknamed PlugWalkJoe. Researchers have been monitoring PlugWalkJoe as it is believed to have carried out several SIM swaps over the years, followed by large amounts of bitcoin theft.







Now let's look at the profile picture in another account archiveshinji(below). The image is the same as the screenshot from Wednesday when Joseph / @ Shinji posted snapshots of Twitter's internal tools to the feed.







Our source said that this person was one of the key people in the SIM swap group called ChucklingSquad. This is believed they took account on Twitter Jack Dorsey [creator of Twitter / prim.perev.] Last year . Wired wrote that the accountjackwas taken away when hackers organized the substitution of SIM cards of AT & T operator - the number of this provider is tied to Dorsey's account.





A tweet sent from Jack Dorsey's account when it was hacked mentions PlugWalkJoe and other Chuckling Squad members.



A source from the mobile security industry told us that in real life PlugWalkJoe is Joseph James Connor, a 21-year-old Liverpool resident. He is now in Spain, where he studied at the university, and has not yet been able to return home due to travel restrictions related to the coronavirus.



The source said PlugWalkJoe is under scrutiny and one female investigator was hired to get to know him and convince him to video chat. Then, in the video recorded in this chat, investigators found a characteristic pool.



The source said that the pool seen in the photo on PlugWalkJoe's Instagram, instagram.com/j0e, is exactly the same as they saw in the video chat.







If PlugWalkJoe was directly involved in the Twitter hack, then it seems appropriate that it was exposed thanks in part to social engineering. Perhaps we should be grateful that Twitter hackers did not target something more ambitious, such as interfering with elections or collapsing financial markets, or trying to start a war through false and divisive statements from world leaders.



It is also clear that this Twitter hack could give hackers access to correspondence between any accounts - and this information can hardly be overestimated, despite the fact that it will certainly interest various individuals and organizations, from states to corporate spies and blackmailers.



See also:






All Articles