The Twitter hack that targeted Obama, Elon Musk, and others may be part of 'a more ominous attack'

Business Insider US
  • The Twitter accounts of SpaceX and Tesla CEO Elon Musk, former president Barack Obama, and companies like Apple and Uber were targeted in a colossal hack on Wednesday.
  • The compromised accounts all posted a similar message asking followers to send bitcoin.
  • Some cybersecurity experts, however, believe the hack could have been a distraction or cover for a more nefarious cyber attack, although there's currently no evidence of this.
  • Twitter says it is still investigating the situation.
  • For more stories go to

If you were on Twitter Wednesday evening, you probably noticed something incredibly strange: Elon Musk, Kanye West, Barack Obama, Bill Gates, and many others all posted nearly identical messages asking for bitcoin donations.

That's because Twitter suffered an unprecedented attack on Wednesday that compromised the accounts of high-profile celebrities, politicians, and business leaders.

The attack - which was executed in a very public way resulting in many of the tweets to be deleted in minutes - could have been a sign of a broader, more nefarious scheme, some cybersecurity experts told Business Insider.

Twitter is still investigating the attack, and New York State is launching a full investigation into the incident, Governor Andrew Cuomo announced on Thursday. Many of the experts noted that there was no evidence yet of a broader attack that's tied to Wednesday's Twitter hack, but the situation still made them suspicious.

"If you suddenly had access to some of the most prolific, powerful people, what would you do?" Kevin O'Brien, CEO of the cloud email security company GreatHorn, said in an interview. "Would you say that you wanted to get some bitcoin? That's a bizarrely small use of this level of access."

The tweets could have been an attempt to ensure that the hackers were able to successfully access the accounts to gain lucrative information or install backdoors, O'Brien said.

"The question is, 'Is this attack something of a false flag?'" O'Brien said. "It looks like a bitcoin scam, but really say the accounts were being accessed because there was information that was in them that is valuable."

Vice's Motherboard reported that hackers were able to take over the hacked accounts using an internal tool, which the attackers said they obtained through at least one current employee. Twitter on Wednesday confirmed that hackers had gained access to internal systems and tools by executing a coordinated social engineering attack against its employees.

Twitter says it's "taken significant steps" to limit access to internal tools while it's investigating the matter. The company also limited functionality for verified accounts and locked the compromised accounts while it investigated.

It's unlikely that hackers will be able to exploit Twitter in a similar way since this attack was so public, say Etay Maor, chief security officer at IntSights, and Ryan Olson, vice president of Unit 42 at Palo Alto Networks. But Olson also agrees it's possible it was a stunt to distract from a broader initiative.

"Noisy attacks are a great way to distract security teams from other malicious activities," Olson said in an email.

O'Brien also mentioned this as a potential motivation behind the bitcoin scam tweets.

"It wouldn't be a terribly surprising if there was a simultaneous much wider attack, maybe not even on Twitter," he said, although he also pointed out that there's been no evidence of a separate attack.

Another possibility is that these hackers could have been acting covertly for months before exposing themselves publicly, according to Alun Baker, CEO of security app maker Clario Tech.

"Typically a hacker has been in business for three to six months before they're discovered," Baker told Business Insider. "It's unusual for a hacker to show their hand right away ... The next thing you have to ask yourself is, 'How long were they in there?'"

Some security experts think the bitcoin scam was a way of the hackers showing off.

"I can only speculate about the true intentions behind this scam, but at the surface level, it appears their goal was to show off, get some attention, have a little fun, and walk away with a pocket full of cash in the end," Luis Corrons, security evangelist for antivirus software maker Avast, said in an email. "The hackers had to have known that the Twitter security team would be all over the situation once they launched their tweets, so I don't think there was a longer-term goal here."

Regardless of the motivation, Maor, the IntSights CSO, said the attack could have been much worse given the level of access the hacker was able to obtain. The high-profile tweets suggest the attacker may have been in a rush, he said.

"I hate to say this about something bad that happened, but I think we're almost lucky that this is what it ended up with," Maor said. "And not something far more nefarious."

In 2013, for example, a group of Syrian hackers claimed responsibility for hacking the Associated Press' official Twitter account to send out a tweet falsely saying that the White House was bombed and then-president Barack Obama was injured.

To O'Brien, the Twitter hack is evidence of a broader trend in cyber attacks: social engineering, or the practice of gaining information about the target by posing as an unassuming person - such as a new employee. Through this technique, hackers are able to obtain more information about their target that they can leverage to gain critical access.

"In security, you're paid to be paranoid," O'Brien said. "And the paranoia says there was something else happening at the same time, or these accounts were being accessed in ways that are far more damaging."

Receive a daily update on your cellphone with all our latest news: click here.

Get the best of our site emailed to you daily: click here.

Also from Business Insider South Africa:

Rand - Dollar
Rand - Pound
Rand - Euro
Rand - Aus dollar
Rand - Yen
Brent Crude
Top 40
All Share
Resource 10
Industrial 25
Financial 15
All JSE data delayed by at least 15 minutes Iress logo