A cyber attack against the US Securities and Exchange Commission (SEC) that resulted in misinformation being posted on the financial regulator’s social media channels was the result of a SIM-swapping attack, it has emerged.
The attack came to light on Monday 9 January when the SEC’s X account briefly appeared to confirm that the regulator had approved the creation of US-listed exchange-traded funds (ETFs) for the bitcoin cryptocurrency.
The SEC has since officially given its genuine blessing to bitcoin ETFs in a landmark moment for crypto assets. However, in jumping the gun, its attackers caused significant fluctuations in the market before the post was removed and the SEC retook control of the hijacked account.
In the intervening fortnight, the SEC has been working with law enforcement and other bodies, including the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Justice (DoJ) and its own internal enforcement teams.
In an update, an SEC spokesperson confirmed that the hackers obtained control of the mobile phone number linked to the compromised X account via SIM-swapping.
“Access to the phone number occurred via the telecom carrier, not via SEC systems. SEC staff have not identified any evidence that the unauthorised party gained access to SEC systems, data, devices, or other social media accounts,” said the spokesperson.
“Once in control of the phone number, the unauthorised party reset the password for the @SECGov account. Among other things, law enforcement is currently investigating how the unauthorised party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account.
“While multifactor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X support, at the staff’s request, in July 2023 due to issues accessing the account. Once access was re-established, MFA remained disabled until staff re-enabled it after the account was compromised on 9 January. MFA currently is enabled for all SEC social media accounts that offer it,” they added.
What is SIM-swapping?
A successful SIM-swapping attack occurs when a threat actor is able to convince the mobile network operator (MNO) to switch the victim’s mobile number to a new device.
This is generally achieved through phishing against the victim to obtain data such as personally identifiable information (PII), credentials and answers to security questions (mother’s maiden name, make and model of first car, and so on).
They can then contact the MNO and register a new SIM card to the victim’s account, taking it over and gaining access to any call or SMS data, or accounts that may be linked to the victim’s phone number.
Because many online accounts, from banking to social media, rely on mobile authentication to retrieve or reset their credentials, the attackers can then take complete control of their victim’s digital life, emptying bank accounts or co-opting their social media.
Unfortunately, all too often, the victim will be unaware they have been targeted until their mobile device suddenly stops being able to send or receive calls or texts, at which point it is too late.
Ordinary people can take steps to safeguard themselves against this attack vector. Historically, the most effective method has been held to be utilising MFA across key accounts – though even this is not infallible, particularly if it relies on SMS one-time passcodes. More effective is to use authenticator apps from the likes of Google or Microsoft. Most effective is not to link a mobile phone number to online accounts if it can be avoided.
In the SEC’s case, the attack appears to have been limited to pranking or trolling crypto enthusiasts, but nevertheless, manipulating financial markets in this way is illegal, and if the culprits are caught and found to be in the US – or a country with which the US shares an extradition treaty – they can expect stiff penalties.
Ilia Kolochenko, a cyber crime educator and founder and chief executive of Immuniweb, said the incident could have been a lot worse.
“While the SEC’s X account hack is a minor security incident, all governmental agencies should review the security of their social network accounts,” he said.
“A breach of the SEC account can cause market volatility for a short time, however, a message on X by the US Department of Defense announcing war or a nuclear strike could trigger unpredictable and devastating consequences globally.”