SEC hack: fallout could last for months, say experts


Experts weigh in on the fallout from the SEC’s X account hack and how the latest disinformation scandal is reverberating not only on social media but throughout Washington.

It was back to business Thursday for the SEC, who ironically filed fraud and disclosure charges against the CEO of a New York-based fintech firm for manipulative trading.

The latest case: CEO Shanchun Huang of the Future FinTech Group Is accused of falsely inflating the price of his company’s stock through market manipulation – exactly what the SEC will have to provide answers for in the wake of its cyber faux pas.

ADVERTISEMENT

Investigations have been launched by both US Congressional House members and the Federal Bureau of Investigations (FBI) concerning the SEC’s lack of basic security measures – the root cause of Tuesday’s hack.

The SEC's inspector general is also said to be launching an internal investigation into how it all went down.

The exploit – which ultimately led to an unauthorized post falsely claiming the US Securities and Exchange Commission (SEC) had approved the listing of spot bitcoin ETFs on the national exchanges – caused a short-lived spike in bitcoin market prices, triggering the federal probes.

Insiders reported the bitcoin price fluctuation allowed some crypto traders to make billions off the post, with transactions that "may take years to identify" on the Blockchain.

“When cybercriminals succeed in taking control of an online account, they can perform unauthorized transactions, unbeknownst to the victims – in this case, the SEC,” said Antoine Vastel, Ph.D. and Head of Research at DataDome.

“The danger here is that these often go undetected for a long time because logging in isn’t considered a suspicious action,” he said.

“Once a hacker is inside a user’s account, they have the keys to the kingdom,” Vastel pointed out. "The fallouts of an account takeover attack can last for months."

ADVERTISEMENT

The SEC may have deleted the post within a half hour, but not before more than 1 million users had already seen it, leading to an uproar on social media once the SEC replaced it with a corrected post.

“The best source of info on the SEC is clearly NOT the SEC,” one user said.

Multi-factor authentication strikes again

The infiltration was said to be cause by “an unidentified individual” compromising the social media account by acquiring an associated phone number.

The US financial regulation agency also revealed it did not have two-factor authentication enabled on the account at that time.

“While it might seem surprising that an agency dealing with highly-sensitive and heavily-regulated matters would seemingly not follow federal government guidelines for multi-factor authentication, this shows that it can be difficult for even the most ardent organizations to enforce cyber policies, and the weakest links are often people,” said Paul Martini, CEO of security firm iboss.

Martini says the entire debacle is “just further evidence that identity solutions are not enough, and the industry needs to fully embrace Zero Trust with appropriate authentication and access controls.”

“I’m sure there are a lot of social media managers at federal government agencies that are scrambling to make sure this doesn’t happen to them,” Martini said.

On Wednesday, the SEC – some say begrudgingly – approved the bitcoin tracking ETF, making it the first of its kind to be listed on the national exchanges in a widely anticipated move by the crypto industry.

ADVERTISEMENT

Meantime, the Republican-led House Financial Services Committee sent a letter to SEC Chair Gary Gensler on Wednesday, seeking more information about the fake post.

“To better understand how this breach occurred and how the SEC will ensure it cannot happen again, please provide a briefing to Committee staff no later than January 17th, 2024," the letter stated.

“This failure is unacceptable, and it is disturbing that your agency could not even meet the standard you require of private industry," it said.

To note, Gensler’s name and title had been added to the fake post in what appears to be an effort by the unknown hacker to make it seem legitimate.

SEC hack Gensler post
Fake X post from SEC hack with false quote from SEC Chair Gary Gensler.

Etay Maor, Senior Director of Security Strategy at Cato Networks said the SEC’s X account hack is the latest, painful reminder of overlooking basic security hygiene practices, such as using strong passwords and two-factor authentication.

The disinformation factor

Not only have security concerns been raised over the incident, but also the devastating impact disinformation can have on an industry and even on society.

“In a year when more than 50 different countries are expected to hold democratic elections, we are already witnessing the real-world ramifications of disinformation spread online by cyberattackers,” Maor said.

The SEC hack is now one of several that have already taken place since the start of the year, Maor explained, referencing last week’s breach of Mandiant’s X account by bad actors attempting to push another crypto scam service.

ADVERTISEMENT

An SEC spokesperson made it clear, reiterating on Wednesday in a statement, that "The unauthorized content on the @SECGov account was not drafted or created by the SEC."

Additionally, X assured its users that a preliminary investigation showed the hack was unrelated to any breach of the social messaging platform.

Maor also pointed out the SEC attack was “reminiscent” of an attack on the Associated Press taking place back in April 2013. In that attack, the AP's Twitter account (now known as X) was hacked to spread “false rumors” about an explosion at the White House, causing stock prices to plunge.

“The irony is that this latest hack follows the SEC’s new public breach disclosure policy, which took effect last month," Maor said, citing the SEC’s new four-day disclosure deadline that took effect last month.

“These security enforcements should be the bare minimum for organizations under scrutiny to comply with evolving security protocols,” Maor said.

When it comes to beefing up security, Vastel added that "on top of strong and regularly updated passwords, organizations should also nudge their users or customers to enable MFA too."

Furthermore, although it's not clear if the hackers were able to obtain their information from an SEC employee, Vastel said staff should always “be educated regularly on the risks of account takeovers, and especially the risk of phishing and social engineering tactics.”