Cybercrime , Cyberwarfare / Nation-State Attacks , Endpoint Security

Twitter Sees Signs of State-Sponsored Attack

Separately, Steganographic Cybercrime Scheme Employs Malicious Twitter Memes
Twitter Sees Signs of State-Sponsored Attack

Twitter says that an unspecified number of its users may have been targeted by state-sponsored hackers seeking to unmask their identity.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Attackers appear to have targeted a Twitter customer support API. A successful attack would have revealed the country code associated with a user's phone number, if they had registered one with Twitter, as well as whether Twitter had locked their account, the social networking giant says in a blog published on Monday.

"During our investigation, we noticed some unusual activity involving the affected customer support form API," it says. "Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors."

Twitter says it has shared its findings with law enforcement agencies. "Importantly, this issue did not expose full phone numbers or any other personal data," Twitter says in its security alert. "We have directly informed the people we identified as being affected. We are providing this broader notice as it is possible that other account holders we cannot identify were potentially impacted. No action is required by account holders and we have resolved the issue."

Twitter's stock price plunged 7 percent in Monday trading, apparently as a result of its security alert.

Potential Nation-State Actors

The use of an IP address in any reconnaissance or attack is no smoking gun as to the origin of those efforts. Attackers have long used false flags to try and foil attribution or cast the blame on others (see: Winter Olympics Gold Medal for False Flag Goes to ... ?).

The social networking giant said it blocked the attacks on Nov. 16 after first beginning to investigate them on Nov. 15. It has not said how long the attacks may have persisted. Twitter did not immediately respond to a request for clarification.

Malware Responds to Twitter Memes

Separately, on Friday, information security firm Trend Micro warned that attackers have been disseminating image memes via Twitter that are being used to provide remote command-and-control services for malware-infected PCs. It says hardcoded URLs, spread via posts to the free text-sharing service Pastebin, are then being used to help exfiltrate stolen data.

"Steganography, or the method used to conceal a malicious payload inside an image to evade security solutions, has long been used by cybercriminals to spread malware and perform other malicious operations. We recently discovered malicious actors using this technique on memes," says Aliakbar Zahravi, a malware analyst at Trend Micro, in a blog post.

The authors of malware called Berbomthum have used a Twitter account, first created in 2017, to post two tweets that contain image memes, he says.

"The memes contain an embedded command that is parsed by the malware after it's downloaded from the malicious Twitter account onto the victim's machine, acting as a C&C service for the already placed malware," he says. "Hidden inside the memes mentioned above is the '/print' command, which enables the malware to take screenshots of the infected machine. The screenshots are sent to a C&C server whose address is obtained through a hard-coded URL on"

A screen capture of the offending Twitter account and one of the malicious memes (Source: Trend Micro)

Trend Micro says that Twitter blocked the offending account on Dec. 13.

Twitter did not immediately respond to a request for comment on Trend Micro's report.

Zahravi says it's not yet known how PCs first become infected with Berbomthum. In general, however, security researchers say that most malware attacks, including ransomware, tend to be distributed via spam or phishing emails (see:Ransomware Keeps Ringing in Profits for Cybercrime Rings).

This isn't the first time that malware writers have employed steganography to remotely control infected systems. Lurk malware, for example, was previously modified to serve as a dropper and download image files with malware hidden inside (see: Russian Police Bust Alleged Bank Malware Gang).

Nor is this the first time that Twitter posts have been used to issue instructions to malware-infected PCs. In 2013, for example, Russian security firm Kaspersky Lab and Budapest-based CrySyS Lab warned that they'd discovered an online espionage campaign that utilized attack code called MiniDuke, which looked to specified Twitter accounts to retrieve C&C instructions.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.