Twitter Alerts Users to State-Sponsored Cyberattack Threat

Twitter last week began warning some of its members that they might be the target of a state-sponsored attack on their accounts.

Coldhak posted to its Twitter account a copy of the warning it received.

It’s among a small number of accounts that state-sponsored actors may be targeting in an attempt to obtain information such as email addresses, IP addresses and phone numbers, Twitter warned.

There’s no evidence the actors obtained Coldhak’s account information, said Twitter, which is investigating the matter.

Proactive First

Although both Google and Facebook have adopted formal policies for warning their users about apparent state-sponsored attacks, Twitter’s action may be a first by a social network.

“This is the first time that I’ve ever heard of the platform itself being proactive in recognizing that activity and alerting users to it,” said Richard Stiennon, chief research analyst atIT-Harvest.

Google rolled out a warning system for alerting some of its users of state-sponsored attacks in 2012.

“You might ask how we know this activity is state-sponsored,” said Eric Grosse, Google’s vice president for security engineering at the time. “We can’t go into the details without giving away information that would be helpful to these bad actors, but our detailed analysis — as well as victim reports — strongly suggest the involvement of states or groups that are state-sponsored.”

Facebook Warning System

Facebook put its state attack warning system in place in October.

“While we have always taken steps to secure accounts that we believe to have been compromised, we decided to show this additional warning if we have a strong suspicion that an attack could be government-sponsored,” Facebook CSO Alex Stamos said.

“We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts,” he continued.

Facebook launched its state attack warning program shortly after Dell SecureWorks issued a report on a group of Iranian hackers known as TG-2889. The group created a network of fakeLinkedIn accounts to target members in the telecommunications industry and defense organizations in the Middle East, Africa and South Asia.

Creating a network of LinkedIn personas can help TG-2889 identify and research potential victims. The hackers can build relationships with the targets by contacting them either directly or through their connections, the Dell report said.

Target-Rich Environment

LinkedIn can be a very rich target for nation-states, noted Jonathan Klein, president ofMicroStrategy.

“Your entire professional rsum, from your academic profile to all your connections from all your jobs, provides an endless source of data for people to construct either false connections to you or a solid picture of an organization,” he told TechNewsWorld.

A state actor can get a good idea about an organization by collecting its members’ profiles on LinkedIn and seeing all the projects they’ve been working on and the people they’re connected to, Klein said.

Like Google, Twitter isn’t saying how it knows the attacks behind its warnings originated with a nation-state, but it’s unlikely the company is waving a red flag prematurely.

“Twitter has tremendous data resources, so they could do behavior analysis that could support its conclusions,” IT-Harvest’s Stiennon told TechNewsWorld. “I’m confident they have the ability to tell when a nation-state is targeting someone’s account.”

For example, Twitter can see large numbers of failed login attempts from IP addresses connected to known state actors.

Tor Connection

“State actors behave differently than criminals,” said Eva Galperin, a global policy analyst with theElectronic Frontier Foundation.

“In the case of Twitter or any large company providing a platform or service, they have the 10,000-foot view of what else this actor is doing and who else they’re targeting,” she told TechNewsWorld. “From there you can actually draw some conclusions about whether you’re up against a nation-state or someone allied with a nation-state.”

Although it’s unknown why state actors would target the accounts that received warnings from Twitter, in the case of Coldhak there is a Tor connection.

Tor is a network used by Internet users, including dissidents, who need to keep their identities anonymous. Colin Childs, one of the founding directors of Coldhak, is a contractor for theTor Project.

“People who work on the development of Tor have access to the kind of sensitive information that can be used to compromise the Tor network,” Galperin explained. “Since nation-states are often spying on people who are using Tor, compromising the Tor network is highly relevant to their interests.”

“Social media is becoming increasingly important as a tool for communication for dissidents and people trying to change countries,” said Jan Dawson, chief analyst withJackdaw Research.

“Since it’s a legitimate and important form of communication for those people,” he told TechNewsWorld, “some governments want to stop it.”

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels