Twitter Turns NARC in 2016: Social Media Begins Informing Users of State Sponsored Attackers
Following a recent spike in state-sponsored cyber-attacks of more than 50 attendees of a prestigious cyber-security conference, the admins at Twitter set out to begin informing their users when accounts are targeted by known state-sponsored attackers via their social network. The event was the 2015 32C3 Conference hosted in Hamburg, Germany. What’s 32C3 you ask? An annual meeting of the cyber-elite minds, hosted by the Chaos Computer Club, Europe’s largest hacker collective.
Days leading up to the conference, Twitter researchers found an unusual amount of malicious activity aimed at roughly 50 Twitter accounts owned and operated by cyber researchers planning to attend this event. Twitter informed the targeted individuals, and the attacks themselves quickly became the main event on the conference’s agenda, though Twitter personnel did not specify which states were launching the attacks, so much so that the intended victims created an online petition with a list of unanswered questions that they hoped Twitter would eventually address. Many speculate that the social media provider’s silence on the subject is due to a U.S. government-administered gag order or some kind.
But Twitter isn’t the first social network to begin to report, and then broadly-brush the details, of alleged state-sponsored attacks to their users. Facebook was the first reported social network to begin alerting their users to these styles of attacks. However, like Twitter, the details were few and far between.
For years now, both social media providers have done an admirable job at monitoring, and in some instances combatting via account deletion, malicious hacker groups from using their products. Most notably is the ever-constant battle that these networks have with the popular hacktivist group the Syrian Electronic Army, whose popularity spiked in 2013 and 2014 after numerous successful attacks to the U.S. financial sector as well as U.S. government websites and databases. Their most famous work came in 2013, when the hacker group successfully turned a simple phishing attack into acquiring the log-in credentials for the official Twitter account of the Associated Press, and subsequently tweeting a message stating that the White House was under attack. One simple message caused not only a panic among those who “followed” the AP’s Twitter feed, but the message also caused automated news-monitoring stock market systems to temporarily tank the market. Most recently, the group successfully attacked the U.S. Army’s main domain, Army.mil. Nearly as soon as profiles for this hacker group go up on Facebook or Twitter, they are suspended or deleted altogether.
But where does the data go? If Twitter and Facebook encounter these types of attacks with regularity, especially when major cyber events such as the 323C conference loom, then who and what is getting their hands on the logged IP data, attack signatures, and basically any digital fingerprints from the attackers? The natural assumption is the U.S. is receiving this information, especially after the 2012 Snowden revelations shined light on the main social networks’ cooperation with U.S. government investigators. But that precisely is the same institution that many, including those who’ve fallen victim to these attacks, are concluding are the main culprits for the activity in the first place.
This post was written by Casey Moles, Government Analyst with Thomson Reuters.