Inside The Twitter Breach Investigation: What Happened

Updated on

This past week Allison Nixon, Chief Research Officer at  Unit 221B, and team confirmed that the individuals behind the Twitter breach came out of the OG community, a group that Unit 221B activity tracks for its own customers. The motivation involved was similar to previous incidents they have observed.  The OG community is not tied to any nation states, rather they are a disorganized crime community with a basic skill set and are serial fraudsters.  Unit 221B has collected and analyzed a good deal of  intelligence regarding this particular incident and are actively working with law enforcement and other entities historically targeted by the OG community so they can move forward with this investigation accordingly.

Get Our Activist Investing Case Study!

Get The Full Activist Investing Study In PDF

Q2 2020 hedge fund letters, conferences and more

Investigating The Twitter Breach

Allison Nixon, Chief Research Officer, Unit 221B

“The individuals behind the Twitter breach likely come out of the OG community, a group that Unit 221B activity tracks for our own customers. The OG community began as a group of hackers interested in OriGinal Twitter handles with single digits or low numbers which have perceived prestige and value, but includes groups interested in all manner of cybercrime and cyber-fraud.  Based upon what we have seen,the motivation for the most recent Twitter attack is similar to previous incidents we have observed in the OG community - a combination of financial incentive, technical bragging rights, challenge, and disruption.”

“The OG community is not known to be tied to any nation state.  Rather they are a disorganized crime community with a basic skillset and are a loosely organized group of serial fraudsters”

“Unit 221B saw what was happening with Twitter in its early stages.  We recognized that the Twitter breach matched similar attacks we had seen in the OG Community, and that it followed the same motivations, tactics and techniques that mirror the OG Community, a group that Unit 221B actively profiles and monitors.”

“In tracking this community have observed that they are highly practiced at both insider recruitment and social engineering -- the ability to obtain inside access to sophisticated tools and high-level access to password resets and account takeovers, either by tricking lower-level support staff or by corrupting them. This criminal community is known for crypto theft and SIM swapping, and insider recruitment is one of the key techniques they use to accomplish this goal.  In the SIM swap community, the OG hackers have been able to take over targets cell phone numbers (often repeatedly) by corrupting help desk or similar lower paid employees, and using the access provided to redirect phone traffic to their phones.  This has enabled tens of millions of dollars of losses to Bitcoin vendors.  Similar techniques used by the OG community may have permitted them to obtain access to protected Twitter accounts.”

“In this case, internal Twitter administrative tools were used to gain access to the accounts. Hackers changed the account's email, reset the password and were able to gain access.”

“This form of hacking is so powerful it has the potential to impact many companies and industries - not just social networking or social media like Twitter.  If you can get access to the internal administrative tools, or to someone who has them, you can take over anyone’s account virtually anywhere. Because people rely on the integrity of their accounts, and others rely on accounts as being valid, these OG techniques are used for things like currency and market manipulation.  Entire markets and potentially elections may be manipulated or altered in this way.  Victims of account takeovers generally do not know that the fraud has occurred, and generally cannot take security precautions to prevent it.”