The bad actor who hacked into the X account of the Securities and Exchange Commission earlier this month gained access through a SIM swapping attack on the agency’s phone linked to the account.
A SEC spokesperson in an update this week on the incident said the attacker was able to convince the unnamed wireless carrier that held the account associated with the phone to transfer the phone number without authorization to another device controlled by the threat actor.
With control of the number, the scammer on January 9was able to post on the SEC’s account on X – formerly Twitter – that the agency had the OK for 11 bitcoin exchange-traded funds (ETFs), a decision that actually wasn’t going to be approved for another day or so. The X post kicked off a chaotic period in the markets that reportedly saw a sharp drop in the price of bitcoin that caused the cryptocurrency t to lose more than $60 billion in market value in just minutes.
“Once in control of the phone number, the unauthorized party reset the password for the @SECGov account,” the agency statement said.
SEC Chair Gary Gensler had to disavow the X post through his own personal account.
The fraud followed the well-worn steps of most other SIM swapping scams, in which the hacker contacts the victim’s mobile phone carrier and convinces them to activate a SIM card they have, which essentially transfers the target’s number to their own devices, giving them control over the phone number. Through that, the scammer can begin receiving and sending voice and text messages with the number.
The hacker in the SEC case was able to access the number of the SEC cell phone through the telecom carrier rather than SEC systems, the agency said, adding that its staff has seen no evidence that the scammer had gained access to any other SEC systems, devices, or social media accounts or any data.
“Law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account,” the SEC said in the statement.
SIM swapping scams have been on the rise over the past several years. An FBI advisory in 2022 warned mobile carriers and the public about scams, saying that between 2018 and 2020, its Internet Crime Complaint Center logged 320 complaints, which involved losses of up to $12 million. In 2021, the number of SIM swapping complaints grew to 1,611, with losses jumping to more than $68 million.
The incident also has put greater scrutiny on the SEC and its cybersecurity capabilities. Most federal agencies use multi-factor authentication (MFA) methods to ensure the identity of people or entities trying to access systems.
MFA had been used with the SEC’s X account until July 2023, when the agency’s staff asked X Support to disable it after running into problems accessing the account. Staffers were able to regain access the account after that and MFA remained disabled until it was put back into effect after the January 9 compromise.
MFA is now used with all of the agency’s social media accounts that offer it.
In a letter to the SEC two days after the fraudulent posting appeared, Senators Ron Wyden (D-OR) and Cynthia Lummis (R-WY) demanded an investigation into not only the hack of the social media account but also what they called the SEC’s “apparent failure to follow cybersecurity best practices.”
“Given the obvious potential for market manipulation … the SEC’s social media accounts should have been secured using industry best practices,” they wrote. “Not only should the agency have enabled MFA, but it should have secured its accounts with phishing-resistant hardware tokens, commonly known as security keys, which are the gold standard for account cybersecurity.”
They noted that since 2021, X has allowed users to exclusively use security keys and to remove phone numbers, which can be easily hijacked.
The senators also pointed to a memo issued by the Office of Budget and Management (OMB) in January 2022 outlining the government’s plans for a zero-trust architecture that put an emphasis on enterprise identity and access controls, including MFA, and to an independent evaluation of the SEC’s operations, which they said found the agency’s information security program ineffective.
The SEC’s failure to follow cybersecurity best practices was made worse given the agency’s controversial cybersecurity incident reporting rules approved late last year.
“Additionally, a hack resulting in the publication of material information for investors could have significant impacts on the stability of the financial system and trust in public markets, including potential market manipulation,” Wyden and Lummis wrote.
A number of agencies are investigating the hack, including the SEC’s inspector general and its Enforcement Division, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Justice Department, and the Commodity Futures Trading Commission, whose job includes regulating bitcoin futures.
Recent Articles By Author