The communication company Twilio suffered a breach at the beginning of August that it says impacted 163 of its customer organizations. Out of Twilio’s 270,000 clients, 0.06 percent might seem trivial, but the company’s particular role in the digital ecosystem means that that fractional slice of victims had an outsized value and influence. The secure messaging app Signal, two-factor authentication app Authy, and authentication firm Okta are all Twilio customers that were secondary victims of the breach.
Twilio provides application programming interfaces through which companies can automate call and texting services. This could mean a system a barber uses to remind customers about haircuts and have them text back “Confirm” or “Cancel.” But it can also be the platform through which organizations manage their two-factor authentication text messaging systems for sending one-time authentication codes. Though it’s long been known that SMS is an insecure way to receive these codes, it’s definitely better than nothing, and organizations haven’t been able to move away from the practice completely. Even a company like Authy, whose core product is an authentication code-generating app, uses some of Twilio’s services.
The Twilio hacking campaign, by an actor that has been called “0ktapus” and “Scatter Swine,” is significant because it illustrates that phishing attacks can not only provide attackers valuable access into a target network, but they can even kick off supply chain attacks in which access to one company’s systems provides a window into those of their clients.
“I think this will go down as one of the more sophisticated long-form hacks in history,” said one security engineer who asked not to be named because their employer has contracts with Twilio. “It was a patient hack that was super-targeted yet broad. Pwn the multi-factor authentication, pwn the world.”
Attackers compromised Twilio as part of a massive, yet tailored phishing campaign against more than 130 organizations in which attackers sent phishing SMS text messages to employees at the target companies. The texts often claimed to come from a company’s IT department or logistics team and urged recipients to click a link and update their password or log in to review a scheduling change. Twilio says that the malicious URLs contained words like “Twilio,” “Okta,” or “SSO” to make the URL and the malicious landing page it linked to seem more legitimate. Attackers also targeted the internet infrastructure company Cloudflare in their campaign, but the company said at the beginning of August that it wasn’t compromised because of its limits on employee access and use of physical authentication keys for logins.
“The biggest point here is the fact that SMS was used as the initial attack vector in this campaign instead of email,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “We’ve started to see more actors pivoting away from email as initial targeting and as text message alerts become more common within organizations it’s going to make these types of phishing messages more successful. Anecdotally, I get text messages from different companies I do business with all the time now, and that wasn’t the case a year ago.”