An August attack on Twilio, which led to a breach of Signal and other downstream clients, was not the first by that particular threat actor. An investigation into the Twilio hack has turned up an earlier breach by the same party, in which a vishing attack was used to steal a smaller amount of customer information.
The earlier incursion by the Twilio hacker was apparently detected after half a day and limited to taking some amount of customer contact information. After successfully deploying a vishing attack in June, that same attacker would come back in August with an SMS text message campaign that afforded it even greater access to Twilio’s internal network.
Twilio vishing attack fooled an employee prior to SMS phishing campaign
The hacking group 0ktapus is thought to be behind the Twilio hacks; the group earned its name by going on a major campaign in recent months that targeted business clients of the Okta access management platform. The group’s primary approach has been to send SMS messages to targets that direct them to a fake Okta login page, but it appeared to test out vishing attacks as a strategy first.
Vishing attacks are seeing something of a resurgence, as companies increasingly push multi-factor authentication methods that are not easy for hackers to address via the traditional route of email phishing. Over the phone, the attacker only needs to convince the target to complete the login process for them to gain access. These attacks do still incorporate an email approach at times, however, sometimes making first contact with a spoofed email directing the employee to call a fake IT staff member or customer service agent.
Twilio hacks focused on phone-based verification to penetrate company network
The initial vishing attack was successful in convincing an employee to give up their login credentials, but it appears that the attacker was only able to access a “limited” amount of customer contact information in that incident. The Twilio hackers eventually decided on an SMS phishing campaign, breaching about 130 companies over a period of several months.
Impacted Twilio customers were notified of the June attack not long before the August attack began. The connection between the two attacks was discovered during the post-mortem investigation of that second attack. Twilio also found that 209 of the company’s 270,000 customer accounts were impacted by the second attack, and only 93 of the roughly 75 million end users of the Authy authenticator app. Neither of the attacks provided access to authentication tokens or other customer credentials.
The Twilio hack prompted some changes at the company, as it announced that it would be distributing hardware security keys and requiring 2FA in the future as means of heading off future smishing and vishing attacks.