Twitter Issues First-Ever State-Sponsored Attack Alerts

Risk Management , Social Media , Technology

Follows Google, Facebook Offering Nation-State Attack Alerts Twitter Issues First-Ever State-Sponsored Attack Alerts

Twitter has issued its first-ever security alerts to some users that they may have been "targeted by state-sponsored actors."

See Also: Defense Strategies for Advanced Threats: Breaking the Cyber Kill Chain with SANS 20 Critical Security Controls

Twitter says it's alerted "a small group of accounts" that they've been targeted in apparent attacks designed to obtain accountholder-related information, including email addresses, IP addresses and phone numbers - the service started collecting phone numbers from users earlier this year.

But the micro-blogging service has released scant additional details, beyond noting that it's still investigating the suspected attacks. Twitter also didn't immediately respond to a request for comment about how many such alerts it's now issued, what methods it uses to detect attacks, or who it suspects might be responsible for the suspected attacks.

News of the warning was first reported by technology news site Motherboard and Financial Times.

Google and Facebook already had systems in place to warn users if they're targeted by a suspected nation-state attack.

One organization that says it received the notice is the Winnipeg, Canada-based non-profit Coldhak, which develops code to help build Linux kernels that include the grsec security improvements, as well as to manage relays for the anonymizing Tor online network.

We received a warning from @twitter today stating we may be "targeted by state-sponsored actors" pic.twitter.com/oZm83eVFC5

Colin Childs, one of the founding directors of Coldhak, tells Reuters that his organization has seen "no noticeable impact of this attack."

In response to Coldhak's post, multiple cryptographers, information security experts and journalists say that they too had received the same warning from Twitter, Financial Times reports. According to the 46 people who responded to a Twitter poll created by the "Stribik" account, nine reported receiving a nation-state-attack warning from Twitter.

Some reacted to the security alerts with humor, and appropriately enough, via Twitter. "Remember when "state-sponsored actors" meant the national performing-arts company doing Shakespeare in the park?" tweeted security expert Mark Wodrich.

Of course Twitter accounts have hardly been immune to hostile takeovers. In recent years, for example, the Syrian Electronic Army, which backs the regime of Syrian President Bashar al-Assad in the country's bloody civil war, has seized control of numerous Twitter accounts, including one used by the Associated Press, via which it falsely claimed in 2013 that there had been explosions at the White House, which briefly sent the U.S. stock market tumbling.

De-Anonymizing Attack?

While Twitter hasn't commented on whom it suspects might be behind the latest incidents, its warning suggests that the attacks might be designed to recover information that could be used to identify accountholders. "We recognize that this may be of particular concern if you choose to tweet using a pseudonym," Twitter says.

The microblogging service also refers to related services offered by the Tor Project, which maintains the anonymizing Tor browser, as well as related guidance from civil rights group Electronic Frontier Foundation relating to protecting yourself on social networks, which recommends using a separate email address to protect a pseudonymous account, choosing a strong password and using two-factor authentication whenever possible (see We're So Stupid About Passwords: Ashley Madison Edition).

In response to Twitter recommending Tor for anyone who wants to hide their identity, however, multiple information security experts and privacy advocates have questioned why Twitter appears to have blocked or locked some accounts that were accessed via Tor, as well as to block the use of its free Tweetdeck client with Tor.

Encryption Debate

Twitter's nation-state-attack alerts arrive in the wake of many U.S. lawmakers and government officials excoriating technology firms for using encryption to protect users' communications (see Is Obama Calling for Encryption Bypass?). Following this month's shootings in San Bernardino, Calif., which left 14 people dead, some lawmakers have renewed their call for Silicon Valley to create "backdoors" in their products that would give law enforcement agencies the ability to decrypt communications.

But many computer security experts - and mathematicians - continue to caution that any attempt to weaken encryption would do nothing to curb terrorism, while also putting people at greater risk from cybercriminals as well as unfriendly nation states (see Why "Cryptophobia" Is Unjustified).

How Google Alerts

imageGoogle's state-sponsored attack alert to users.

Twitter's decision to begin alerting end users to suspected nation-state attacks that target their account follows Google having first launched the practice in 2012. Google's Eric Grosse, in a related blog post, said such alerts often related to people being targeted - for example via phishing or malware - and unauthorized access attempts to their accounts. "When we have specific intelligence - either directly from users or from our own monitoring efforts - we show clear warning signs and put in place extra roadblocks to thwart these bad actors," he said, including alerting users directly.

"You might ask how we know this activity is state-sponsored," he added. "We can't go into the details without giving away information that would be helpful to these bad actors, but our detailed analysis - as well as victim reports - strongly suggest the involvement of states or groups that are state-sponsored."

How Facebook Alerts

imageFacebook's state-sponsored attack alert.

Facebook, meanwhile, implemented a similar system in October 2015. "While we have always taken steps to secure accounts that we believe to have been compromised, we decided to show this additional warning if we have a strong suspicion that an attack could be government-sponsored," according to a related overview published by Facebook CSO Alex Stamos, who notes that the alerts do not relate to the social network platform's security, but only to account holders' security. "We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts."

Like Google, Facebook will typically not release much additional information, in part because it doesn't want to tip off bad actors to the detection methods it's using, Stamos says.