A 17-year-old Florida teenager is accused of perpetrating one of the year’s biggest and most high-profile hacks: Twitter.
A federal 30-count indictment filed in Tampa said Graham Ivan Clark used a phone spearphishing attack to pivot through multiple layers of Twitter’s security and bypassed its two-factor authentication to gain access to an internal “admin” tool that let the hacker take over any account. With two accomplices named in a separate federal indictment, Clark — who went by the online handle “Kirk” — allegedly used the tool to hijack the accounts of dozens of celebrities and public figures, including Bill Gates, Elon Musk and former president Barack Obama, to post a cryptocurrency scam netting over $100,000 in bitcoin in just a few hours.
It was, by all accounts, a sophisticated attack that required technical skills and an ability to trick and deceive to pull off the scam. Some security professionals were impressed, comparing the attack to one that had the finesse and professionalism of a well-resourced nation-state attacker.
In the teenager’s defense, the attack could have been much worse. Instead of pushing a scam that promised to “double your money,” Clark and his compatriots could have wreaked havoc. In 2013, hackers hijacked the Associated Press’ Twitter account and tweeted a fake bomb attack on the White House, sending the markets plummeting — only to quickly recover after the all-clear was given.
But with control of some of the world’s most popular Twitter accounts, Clark was for a few hours in July one of the most powerful people in the world. If found guilty, the teenager could spend his better years behind bars.
Here’s more from the past week.
THE BIG PICTURE
Garmin hobbles back after ransomware attack, but questions remain
Sport and fitness tech giant Garmin has confirmed its five-day outage was caused by a ransomware attack.
In a brief statement on Monday, the company said it was hit by a cyberattack on July 23 that “encrypted some of our systems.”
“As a result, many of our online services were interrupted including website functions, customer support, customer facing applications and company communications,” the statement read. “We immediately began to assess the nature of the attack and started remediation.”
Garmin said it had “no indication” that customer data was accessed, lost or stolen. The company said its services are being restored.
The attack caused massive disruption to the company’s online services, used by millions of users, including Garmin Connect, which syncs user activity and data to the cloud and other devices. The attack also took down flyGarmin, its aviation navigation and route-planning service.
The tech maker previously attributed the incident to an “outage,” but sources familiar with the incident told TechCrunch that the outage was caused by file-encrypting malware.
TechCrunch previously reported that the attack was caused by the WastedLocker ransomware, citing a source with direct knowledge of the incident. WastedLocker is known to be used by a Russian hacking group, known as Evil Corp., which was sanctioned by the U.S. Treasury last year.
By imposing sanctions, the Treasury would have effectively made it illegal for any U.S. company to pay a ransom to get their files back.
During the outage, Garmin’s stock price fell from $102 to $94 per share. By afternoon trading on Monday, Garmin was up 3% to $100 per share.
Garmin is expected to report earnings on Wednesday.
An ongoing global outage at sport and fitness tech giant Garmin was caused by a ransomware attack, according to two sources with direct knowledge of the incident.
The incident began late Wednesday and continued through the weekend, causing disruption to the company’s online services for millions of users, including Garmin Connect, which syncs user activity and data to the cloud and other devices. The attack also took down flyGarmin, its aviation navigation and route-planning service.
Portions of Garmin’s website were also offline at the time of writing.
Garmin has said little about the incident so far. A banner on its website reads: “We are currently experiencing an outage that affects Garmin.com and Garmin Connect. This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.”
The two sources, who spoke on the condition of anonymity as they are not authorized to speak to the press, told TechCrunch that Garmin was trying to bring its network back online after the ransomware attack. One of the sources confirmed that the WastedLocker ransomware was to blame for the outage.
One other news outlet appeared to confirm that the outage was caused by WastedLocker.
Garmin’s online services have been down for days. The cause is believed to be ransomware, according to two sources with direct knowledge of the incident. (Screenshot: TechCrunch)
WastedLocker is a new kind of ransomware, detailed by security researchers at Malwarebytes in May, operated by a hacker group known as Evil Corp. Like other file-encrypting malware, WastedLocker infects computers, and locks the user’s files in exchange for a ransom, typically demanded in cryptocurrency.
Malwarebytes said that WastedLocker does not yet appear to have the capability to steal or exfiltrate data before encrypting the victim’s files, unlike other, newer ransomware strains. That means companies with backups may be able to escape paying the ransom. But companies without backups have faced ransom demands as much as $10 million.
Evil Corp has a long history of malware and ransomware attacks. The group, allegedly led by a Russian national Maksim Yakubets, is known to have used Dridex, a powerful password-stealing malware that was used to steal more than $100 million from hundreds of banks over the past decade. Later, Dridex was also used as a way to deliver ransomware.
Yakubets, who remains at large, was indicted by the Justice Department last year for his alleged part in the group’s “unimaginable” amount of cybercrime during the past decade, according to U.S. prosecutors.
The Treasury also imposed sanctions on Evil Corp, including Yakubets and two other alleged members, for their involvement in the decade-long hacking campaign.
By imposing sanctions, it’s near-impossible for U.S.-based companies to pay the ransom — even if they wanted to — as U.S. nationals are “generally prohibited from engaging in transactions with them,” per a Treasury statement.
Brett Callow, a threat analyst and ransomware expert at security firm Emsisoft, said those sanctions make it “especially complicated” for U.S.-based companies dealing with WastedLocker infections.
“WastedLocker has been attributed by some security companies to Evil Corp, and the known members of Evil Corp — which purportedly has loose connections to the Russian government — have been sanctioned by the U.S. Treasury,” said Callow. “As a result of those sanctions, U.S persons are generally prohibited from transacting with those known members. This would seem to create a legal minefield for any company which may be considering paying a WastedLocker ransom,” he said.
Efforts to contact the alleged hackers were unsuccessful. The group uses different email addresses in each ransom note. We sent an email to two known email addresses associated with a previous WastedLocker incident, but did not hear back.
A Garmin spokesperson could not be reached for comment by phone or email on Saturday. (Garmin’s email servers have been down since the start of the incident.) Messages sent over Twitter were also not returned. We’ll update if we hear back.