Mark D. Rasch and Allison Nixon
Three Arrests Made In Massive Twitter Scheme Hack: Investigative Insights
Early in the morning of July 31, 2020, Hillsborough County, Florida law enforcement officials arrested 17 year old Graham Clark as being at least one of the participants in the massive scheme to “hack” the identities of certain celebrity users of the Twitter social media platform. The arrest, and leveling of 30 felony charges against the Tampa area youth, represent the latest development in the federal, state and local investigation of a mixture of social engineering, phishing, spoofing, Man in the Middle (MitM) and crypto-currency attack which lead to the compromise of high-profile Twitter users’ accounts including those of former President Barack Obama and Tesla CEO Elon Musk.
Who was charged?
Shortly thereafter, the FBI announced charges against two others, Mason Sheppard, aka “Chaewon,” 19, of Bognor Regis, in the United Kingdom, and Nima Fazeli, aka “Rolex,” 22, of Orlando, Florida who were both charged in federal court in San Francisco out of charges resulting from the same Twitter hack.
From the press releases, it is clear that the perpetrators are young. Through our investigative work, we have been following both the methods deployed in the Twitter attack, and the investigation of the perpetrators. The fact that the people arrested are teenagers or young adults does not automatically prove that the attackers lacked sophistication. Indeed, many of these individuals named have a significant prior history of criminal involvement. In the past, many of the individuals under 18 who have pulled off high profile heists have actually had multiple years of criminal “training” prior to such events, and the legal protections afforded to minors is often an incentive for them to commit their acts before their 18th birthday. It remains to be seen if that was the case here. The situation could have been much worse with greater implications for society as a whole if nation states were aware of, and were willing to purchase, these cybercriminals’ often publicly available criminal services.
The attack on Twitter was a multi-pronged attack designed to trick specific Twitter employees identified by and targeted by the hackers to use their access to Twitter administrative tools to take over the accounts. The first thing the attacker needed to do was to identify who they wanted to target within Twitter. They used a combination of public information, tools typically used by marketing professionals, LinkedIn profiles and other information not only to decide what Twitter employees to target, but to learn as much about these employees as possible. In that way, they were able to get the Twitter employees’ personal cell phone numbers, and call them in order to further the attack.
Likely Repeated Offenders
While the criminal charges are directed at these three individuals, it is both unlikely that this is the first time that these people have done something like this, and it’s also unlikely that they worked entirely alone.” Typically, those in the hacking community develop skills and share information with their peers, and substantial criminal activity occurs on criminal open-air marketplaces such as these criminal forums. Often these people don’t know each other, and may not even know what the others plan to do with the information shared. It’s basically an online school for how to hack any victim you want.
Unit 221B’s research showed that the Twitter plot is a familiar pattern previously only exclusively targeting telcos. The goal was to get to the administrative tools which would allow the attacker to get to the accounts deemed valuable by the attackers, in this case celebrities. The methodology was to trick the employee into giving up their unique user ID’s, passwords and other credentials that permitted access to the admin tools. Once they had the access, they were able to log into the celebrity accounts and post requests for cryptocurrency payments. The methodology is not uncommon in various hacker groups, including those that target what is known as OG or “Original” Twitter handles – Twitter accounts that are prized in the hacker community. Companies need to remain vigilant and beef up their authentication and responses in light of these attacks. Moreover, they need to know their enemies — their intentions, their capabilities, their tools and techniques.
Tactics, Techniques and Procedures
There is a need for companies to maintain good relations with various law enforcement agencies, and to cooperate as appropriate with these agencies. The arrests show what can be done when law enforcement agencies are motivated and properly equipped. From an investigative perspective, there are many ways to successfully learn about such attacks, but any such investigation should include computer forensics, cryptocurrency tracing, and expert services. Being aware of the various hacker communities allows both law enforcement and defenders to get a better sense of what is going on and how to respond. Often, there is no honor among thieves, and hackers may vie for credit or attempt to discredit the attack. The hacker community itself is often just as motivated to find out who is responsible and expose them- and gossip spreads fast.
In this case, the hacker sought to exploit the fact that, during the COIVID pandemic, many employees are working remotely. By reaching out to the employees by cell phone, the hacker established a false trust relationship with them, and induced them to do things from home that they might not have been willing to do if they were in a normal office location. In addition, the home-based Twitter employees were directed to a legitimate looking but fraudulent “internal” Twitter website, designed by the hacker to steal credentials and perpetuate a “Man in the Middle” attack designed to steal multifactor authentication credentials. This kind of attack of MFA credentials is similar to attacks used by SIM swappers who convince low level employees to change credentials to permit access. The specific criminal communities involved are mentioned by name in the affidavit in support of the federal arrest warrant, and Unit 221B has deep expertise in uncovering fraud schemes perpetrated by those communities.
Investigation Ongoing
The investigation is likely to continue, and there is a good chance that more arrests and charges will be filed for related actors and related schemes. The takeaway for companies is to recognize that people on the phone are not always who they say they are. Trust, but verify. Or better yet, don’t trust, and verify.
