What Two Recent Cyber Attacks Can Teach Us: Twitter and COVID-19 Highlight What’s at Stake


July 2020

By: Orhan Yildirim

2020 has been a rough year when it comes to the global health crisis, related economic challenges, and critical divisions in government as we head into an election season in the context of continued attacks on American democracy.

It has never, in history, been more important to protect what we connect – to protect intellectual property, to protect networks and systems, to protect individual privacy rights, and to protect our ability to live in a free and fair society.

Two major incidents occurred earlier this month, and they are still being dissected and deeply analyzed so we can understand what happened, why it happened, who was behind the attacks, and most of all – how we can avoid even more pervasive and harmful attacks in the future.

What can we learn from the Twitter and COVID-19 vaccine incidents and how can we respond – immediately and with great strength and precision?

Targeting the most influential public figures and celebrities on Twitter, hackers orchestrated a highly coordinated “social engineering-based attack” promoting a cryptocurrency scam. The most high-profile accounts were hacked using Twitter’s administrative tools, according to many experts.

Personal Twitter accounts hacked include those of Amazon CEO Jeff Bezos, Joe Biden, Tesla CEO Elon Musk, former President Barack Obama, Bill Gates, Warren Buffet, and others.

Apple and Uber’s Twitter accounts were also hacked.

Using SIM swapping, it is believed that the adversaries tricked, coerced, or bribed employees of their victims to gain access to privileged account credentials and administrative tools. Early indications reveal that hackers were able first to change the email address of each targeted account. Then, two-factor authentication was turned off so when an alert was sent of the account change it went to the hacker’s email address. With the targeted accounts under their control, hackers began promoting their cryptocurrency scam. While not all details of the attack have surfaced, expert accounts reveal that the hackers convinced a Twitter employee to help them hijack the accounts.

Most likely a credential-based attack, the theory was immediately accepted by the cybersecurity community given that 80% of today’s data breaches go back to privilege access abuse. Put simply, somebody was able to leverage a compromised credential to enter into the Twitter environment and take over accounts. Twitter confirmed within days this was caused by an insider.

The 2019 Verizon Insider Threat Report defines five insider threats based on data breach scenarios:

  • The Careless Worker
  • The Inside Agent
  • The Disgruntled Employee
  • The Malicious Insider
  • The Feckless Third-Party

Regardless of which category Twitter will eventually reveal after a full investigation, one huge irony last week, when the Twitter attack was immediately followed by the COVID-19 vaccine reporting, with the pandemic and related economic hardships, the risk of insider threats is growing, as furloughs or layoffs may tempt employees to participate in schemes like this.

What are we continuing to learn?

Organizations must rethink the way that they have structured their cybersecurity posture, and ensure PAM is at the FRONT LINE of their security policies. The Twitter attack taught us and will continue to prove that no traditional technology “breach” like phishing, originally posited as the theory behind the attacks, is required. It was just a matter of finding the right person with the right privileges and paying them to do post 25 tweets to 25 of the world’s most famous Twitter accounts, in a matter of minutes.

Look for Twitter to dramatically shore up their PAM posture and other security measures after taking a devastating hit this month.

The COVID-19 vaccine breaches are “next level.”

According to the NCSC, state-sponsored hackers are actively targeting organizations involved with the development of a COVID-19 vaccine. Their report says threat group APT29, which has been named “Cozy Bear” and is believed to be associated with Russian intelligence, has been targeting UK, US, and Canadian vaccine research and development organizations.

Paul Chichester, director of operations at the NCSC, condemned the attacks, calling them “despicable” and working against those doing vital work to combat the coronavirus pandemic.

“Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector,” he said. “We would urge organizations to familiarize themselves with the advice we have published to help defend their networks.”

Like Twitter, the issue is privileged credentials. But unlike Twitter, the adversaries are using much more sophisticated technologies to obtain authentication credentials to access systems. “In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organizations,” the NCSC reported. “The group then deployed public exploits against the vulnerable services identified.”

The NCSC has been supported by partners at the Canadian Communication Security Establishment (CSE), the US Department for Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA), and the National Security Agency (NSA).

COVID-19 is an existential threat to every individual, family, community, and government in the world, which makes these reports even more shocking. Reporting is not new – there have been significant COVID-related targeting of governments happening since January of this year.

In this case, what we are learning is that regardless of how privileged credentials are being compromised, every single business, enterprise, government agency, healthcare organization, social media company, and more must – immediately – put in place PAM software that works in our hyperconnected world – that protects clouds, networks, applications, and all of the pieces associated with our digitally driven world.

We are also learning that the consequences of not immediately implementing measures can not only be costly to brand reputations but can literally cost arguably millions of lives.

Similar Blogs

Enterprise Risk Appetite Frameworks Should Include PAM

Enterprise Risk Appetite Frameworks Should Include PAM

Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”

read more