The United States Securities and Exchange Commission (SEC) attributed a breach of its official X account to a SIM swap attack, indicating that the hacker took control of a staff member’s phone.
Blaming SIM Swap Attack The SEC, the top regulatory authority in the USA, fell victim to a SIM-swapping attack that compromised its official X account. On January 9th, an unauthorized party accessed the SEC’s account and posted fake news claiming the approval of the first-ever spot Bitcoin ETF, triggering significant fluctuations in the crypto markets. Following the post, Bitcoin’s price surged from $45,000 to $48,000. The SEC swiftly issued a clarification, leading to a price drop below $46,000. A spokesperson for the SEC explained,
“Two days after the incident, in consultation with the SEC’s telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack.”
The spokesperson revealed that six months before the attack, the SEC staff had disabled multi-factor authentication (MFA). This security layer was only reinstated after the January 9th attack.
“While multi-factor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account. Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on the 9th of January. MFA currently is enabled for all SEC social media accounts that offer it.”
Understanding SIM Swapping SIM swapping involves transferring a phone number to another device without the owner’s consent, allowing the hacker to intercept messages and calls. Once in control of the phone number, the hacker can reset passwords. Lack of two-factor authentication made a SIM swap and password change sufficient for accessing the SEC account.
Rising Threat of SIM Swap Attacks Cybersecurity expert Chris Pierson emphasized that SIM swap attacks pose a significant threat to government agencies and corporations. Pierson, a former member of the Department of Homeland Security’s Cybersecurity Subcommittee and Privacy Committee, noted,
“Originally, these attacks flourished as a means for criminals to hijack an individual’s cryptocurrency wallet or account, but they’re now being weaponized by other criminal actors and nation-states for a much wider range of uses.”
In various instances, influential accounts have been targeted for pump-and-dump stock schemes, spreading disinformation, and tarnishing reputations.
“While this is becoming a more serious problem, with more organized and sophisticated actors, we’re still seeing many agencies and companies continue to make basic mistakes with the security of these accounts.”
The SEC clarified that there is no evidence indicating the hacker accessed its systems, data, devices, or other social media accounts. Law enforcement is currently investigating how the hacker convinced the carrier to change the SIM for the account and how they identified the associated phone number.
