The unprecedented Twitter hack that targeted Barack Obama, Elon Musk, and others may be part of a larger, more ominous attack, experts say
- The Twitter accounts of SpaceX and Tesla CEO Elon Musk, former President Barack Obama, and companies like Apple and Uber were targeted in a colossal hack on Wednesday.
- The compromised accounts all posted a similar message asking followers to send bitcoin.
- Some cybersecurity experts said they think the hack could have been a distraction or cover for a more nefarious cyberattack, though there's no evidence of this.
- Twitter says it's still investigating the situation.
If you were on Twitter on Wednesday evening, you probably noticed something incredibly strange: Elon Musk, Kanye West, Barack Obama, Bill Gates, and many others posted nearly identical messages asking for bitcoin donations.
That's because Twitter suffered an unprecedented attack that compromised the accounts of high-profile celebrities, politicians, and business leaders.
The attack — which was executed very publicly, resulting in many of the tweets being deleted in minutes — could have been a sign of a broader, more nefarious scheme, some cybersecurity experts told Business Insider.
Twitter says it's still investigating the attack, and New York Gov. Andrew Cuomo announced on Thursday that the state would launch a full investigation into the incident. Many of the experts noted that there was no evidence of a broader attack tied to Wednesday's Twitter hack, but the situation still made them suspicious.
"If you suddenly had access to some of the most prolific, powerful people, what would you do?" Kevin O'Brien, the CEO of the cloud email security company GreatHorn, said in an interview. "Would you say that you wanted to get some bitcoin? That's a bizarrely small use of this level of access."
The tweets could have been an attempt to ensure that the hackers were able to access the accounts to gain lucrative information or install backdoors, O'Brien said.
"The question is: Is this attack something of a false flag?" O'Brien said. "It looks like a bitcoin scam, but really, say the accounts were being accessed because there was information that was in them that is valuable."
Vice's Motherboard reported that the hackers were able to take over the accounts using an internal tool obtained through at least one current employee. Twitter on Wednesday confirmed that hackers had gained access to internal systems and tools by executing a coordinated social-engineering attack against its employees.
Twitter said it had "taken significant steps" to limit access to internal tools while it investigates the matter. The company also limited functionality for verified accounts and locked the compromised accounts while it investigated.
It's unlikely that hackers will be able to exploit Twitter in a similar way since this attack was so public, said Etay Maor, the chief security officer at IntSights, and Ryan Olson, vice president of Unit 42 at Palo Alto Networks. But Olson also agreed that it was possible it was a stunt to distract from a broader initiative.
"Noisy attacks are a great way to distract security teams from other malicious activities," Olson said in an email.
O'Brien also said this could be a motivation behind the bitcoin-scam tweets.
"It wouldn't be a terribly surprising if there was a simultaneous, much wider attack, maybe not even on Twitter," he said, though he also pointed out that there's been no evidence of a separate attack.
Another possibility is that these hackers acted covertly for months before exposing themselves publicly, said Alun Baker, the CEO of the security-app-maker Clario Tech.
"Typically a hacker has been in business for three to six months before they're discovered," Baker told Business Insider. "It's unusual for a hacker to show their hand right away ... The next thing you have to ask yourself is: How long were they in there?"
Some security experts said they think the bitcoin scam was a way for the hackers to show off.
"I can only speculate about the true intentions behind this scam, but at the surface level, it appears their goal was to show off, get some attention, have a little fun, and walk away with a pocket full of cash in the end," Luis Corrons, a security evangelist for Avast, which makes antivirus software, said in an email.
"The hackers had to have known that the Twitter security team would be all over the situation once they launched their tweets, so I don't think there was a longer-term goal here," Corrons added.
Regardless of the motivation, Maor said the attack could have been much worse, given the level of access the hackers were able to obtain. The high-profile tweets suggest the attackers may have been in a rush, he said.
"I hate to say this about something bad that happened, but I think we're almost lucky that this is what it ended up with," Maor said, "and not something far more nefarious."
In 2013, for example, a group of Syrian hackers claimed responsibility for hacking The Associated Press' official Twitter account to post a tweet falsely saying that the White House had been bombed and that Obama had been injured.
To O'Brien, the Twitter hack is evidence of a broader trend in cyberattacks: social engineering, or the practice of gaining information about a target by posing as an unassuming person — such as a new employee — that hackers can then leverage to gain critical access.
"In security, you're paid to be paranoid," O'Brien said. "And the paranoia says there was something else happening at the same time, or these accounts were being accessed in ways that are far more damaging."