The operational security (opsec) of the British Army has been questioned by security experts after its social media accounts were compromised on Sunday.
Both the British Army’s Twitter and YouTube accounts were taken over by a currently unknown party this weekend, resulting in the feeds being changed to promote non-fungible tokens (NFTs) before being reverted back to normal.
While under control of the compromisers, NFT-related tweets were posted and retweeted, the account’s images were changed, and the display names were also altered. The Twitter account handle was never tampered with throughout the incident.
The videos on the military’s YouTube channel were deleted and replaced with Elon Musk-themed pro-cryptocurrency videos which amassed thousands of viewers.
Concerns have been raised over the opsec of the British Army’s social media team and how such a compromise was ever able to take place.
Senior researcher at Toronto-based Citizen Lab John Scott-Railton said scams targeting verified accounts, attempting to take over their accounts, are common but raised the question of how easy it would be for a hostile nation-state to see success with a similar campaign. It “should trouble our sleep,” he said in a tweet.
Fielding questions on how effective the communications from a hijacked account could be, Scott-Railton pointed to Citizen Labs’ previous work on risk models for this situation.
One example he used to demonstrate the effect was the case of the Syrian Electronic Army hacking the Associated Press’ Twitter account, posting tweets claiming two explosions had hit the White House leaving then-President Barack Obama injured.
The incident went on to bring the Dow Jones Index down by 1% briefly, he said.
Responding to the compromise of the British Army’s feeds, the Ministry of Defence (MoD) said that “an investigation is underway” and that it would not comment any further until that investigation has reached its conclusion.
Although it’s currently unclear how the compromisers took control of the social media accounts, one former MoD and GCHQ cyber security expert has said that one possibility could be that a third party in the British Army’s supply chain could have gained access through a plug-in or social media management tool.
Securing endpoints amid new threats
Ensuring employees have the flexibility and security to work remotely
“If this plugin or tool was not protected then it could have given the cyber attacker the ability to directly post onto the social media accounts without having to log in to both Twitter or YouTube,” said James Griffiths, co-founder and technical director at Cyber Security Associates.
“The British Army social media management team may have been a target, however, it’s likely that they would have had multi-factor authentication (MFA) in place to prevent an attack like this from happening,” he added.
“Clearly both Twitter and YouTube have MFA capability to protect accounts so it will be interesting to know for sure how the attackers managed to compromise these high-profile accounts.”
