The U.S. Securities and Exchange Commission said on Monday that a SIM swap attack was responsible for the breach of its official account on X, formerly generally known as Twitter, earlier this month.
On Jan. 9, an unauthorized party gained access to the @SECGov account and displayed a fake post claiming the agency had approved the first-ever spot bitcoin exchange-traded funds. The cryptocurrency market moved following the unauthorized post, with bitcoin prices initially stoning up to almost $48,000 from a low that day of just above $45,000. Then, after the SEC clarified that it had not yet approved the bitcoin ETF, prices fell below $46,000.
“Two days after the incident, in consultation with the SEC’s telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC mobile phone number related to the account in an apparent ‘SIM swap’ attack,” an SEC spokesperson said in a press release.
A SIM swap is when a phone number is transferred to a different device without the permission of the owner, allowing the bad actor to receive SMS messages and voice calls intended for the victim.
With access to the phone number, the unidentified individual then reset the account password. Because the SEC didn’t have two-factor authentication enabled, the SIM swap and subsequent password change were the one two steps mandatory to realize full access to the agency’s account.
“While multi-factor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X Support, on the staff’s request, in July 2023 attributable to issues accessing the account,” the SEC said within the statement.
“Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9,” the statement continued. “MFA currently is enabled for all SEC social media accounts that supply it.”
The agency had the power to modify two-factor authentication back on for his or her X account and was not reliant on X to achieve this.
X owner and Chief Technology Officer Elon Musk mocked the SEC, an agency he has clashed with for years, after its account on X was breached. Musk also retweeted a post from Twitter Safety following the incident, which said the compromise “was not attributable to any breach of X’s systems.”
X didn’t immediately reply to CNBC’s questions on whether the platform has continued to cooperate with investigators, or whether the corporate plans to vary its design or any features related to government agency accounts in response to the SEC account breach.
Cybersecurity expert Chris Pierson tells CNBC that SIM swap attacks have change into a much larger security threat for presidency agencies and corporations.
“Originally, these attacks flourished as a way for criminals to hijack a person’s cryptocurrency wallet or account, but they’re now being weaponized by other criminal actors and nation-states for a much wider range of uses,” said Pierson, a former member of the Department of Homeland Security’s Cybersecurity Subcommittee and Privacy Committee.
There’s also been a growing variety of targeted takeovers of influential social media accounts for pump-and-dump stock schemes, to inflict reputational damage and to spread disinformation, added Pierson, who’s now CEO of cybersecurity and digital privacy protection company BlackCloak.
“While that is becoming a more significant issue, with more organized and complex actors, we’re still seeing many agencies and firms proceed to make basic mistakes with the safety of those accounts,” he said.
The SEC said there was no evidence the unauthorized party gained access to the agency’s systems, data, devices or other social media accounts. As an alternative, the SEC said that “access to the phone number occurred via the telecom carrier” and that law enforcement remains to be investigating each how this individual “got the carrier to vary the SIM for the account and the way the party knew which phone number was related to the account.”
The SEC said it’s continuing to work with multiple law enforcement and federal oversight entities, including the SEC’s Office of Inspector General, the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Commodity Futures Trading Commission, the Department of Justice and the SEC’s own Division of Enforcement.
— CNBC’s Lora Kolodny contributed to this report.