SEC's X account hacked with 'SIM swapping,' experts weigh in


The US Securities and Exchange Commission has revealed hackers had hijacked its telephone lines via a technique called SIM Swapping to compromise its official X account on January 10th. Meanwhile, one security expert tells Cybernews exactly how this tricky social engineering attack may have played out.

Wall Street's top regulator released a statement about the attack Monday.

The SEC also said that six months prior to the attack, staff had removed an added layer of protection, known as multi-factor authentication, and did not restore it until after the January 9th attack.

ADVERTISEMENT

As anticipation mounted for the agency's approval of exchange-traded products tracking bitcoin, an unidentified person or persons gained access to the account, posting the false announcement that approval had already been granted, causing a momentary jump in the cryptocurrency's price. In a split vote, the commission granted approval the following day.

SIM swapping is a technique in which attackers gain control of a telephone number by tricking the service provider into reassigning it to a new device (and new SIM card) that they control.

According to digital security provider Avast, the main aim of SIM swapping is usually to exploit two-factor authentication to gain fraudulent access to an account.

"Once in control of the phone number, the unauthorized party reset the password for the @SECGov account," an SEC spokesperson said in a statement.

Law enforcement agencies are working to learn how the hackers prevailed on the SEC's mobile carrier to make the switch, the SEC said, without identifying the carrier.

William Glazier, Director of Threat Research at Cequence Security says that SIM Swapping is one of the more “dangerous and tricky threats” facing organizations today.

Glazier explains that a SIM swapping “attack is multi-faceted, and the responsibility for protection is distributed among different parties."

In this attack case, those parties include:

ADVERTISEMENT
  • The individual themselves (SEC)
  • The platform where the Account Takeover occurred (X)
  • The telecom provider who manages the phone number (unknown at this time).

Note that the SEC’s main headquarters is in Washington, DC, but the agency has numerous regional offices, including New York City, Philadelphia, San Francisco, Salt Lake City, Atlanta, Miami, and Chicago, and did not reveal the physical location of the SEC employee who was tricked into porting the number.

Is multi-factor authentication really the key?

Lawmakers have demanded explanations as to how the SEC could have left itself exposed to such an attack, when it holds publicly traded companies to tough cybersecurity requirements.

Monday's statement also said that due to difficulties accessing the account, SEC staff had asked X Support in June of 2023 to disable multi-factor authentication, which can offer added protection against unauthorized access.

"MFA currently is enabled for all SEC social media accounts that offer it," the SEC said in its statement, but Glazier questions whether the lack of multi-factor authentication was truly the root cause of the breach.

“The act of social engineering of convincing the telecom employee(s) to port over a phone number is actually one of the last steps in the attack chain,” Glazier said.

Typically a threat actor will try to abuse a telecom’s API (Telecom Application Programming Interface) before attempting a method such a SIM swapping.

Glazier said this is because the APIs – a set of standard protocols that can facilitate data sharing among the telecom and various applications, platforms, and/or enterprises – are, by design, publicly exposed to the internet with no authentication.

Usually this is done as a way to enable business growth, Glazier said.

ADVERTISEMENT

“If I'm a telco - I want people to be able to check friction-free if they can move their phone number from a competing carrier over to me,” Glazier said.

“Attackers can learn which phone numbers belong to which carriers, by learning which phone numbers ARE NOT eligible to be ported over, because they already belong to said carrier,” he said.

Meantime, the fake bitcoin ETF approval post and subsequent spike in the stock market, have led many insiders to believe some crypto investors made millions off the roughly 20-minute hack.

The incident is under investigation by agencies including SEC's Office of Inspector General and its Division of Enforcement; the Commodity Futures Trading Commission, which regulates bitcoin futures; Federal Bureau of Investigation; Department of Justice; and Cybersecurity and Infrastructure Security Agency, the statement said.

The SEC announced last week that internal systems at the agency, including data, devices, or other social media accounts, were untouched.

As of Monday, X has not commented on the SEC's latest statement.