After a malicious actor took over the X-account of the US Securities and Exchange Commission (SEC) two weeks ago to prematurely announce the expected Bitcoin ETF approval, the agency has now shared further information regarding this incident. According to a new statement from the regulatory body, the attackers managed to take control of the phone number associated with the SEC’s X-account through SIM swapping and used it to reset the account’s password.
SIM swapping is an attack technique where attackers take over the phone number of their target to, for example, make calls or receive SMS messages on their behalf. The takeover typically occurs by attackers impersonating the target to the mobile service provider, using personal data obtained beforehand through social engineering methods.
If malicious actors can convincingly persuade the provider that they are the rightful owners of the targeted phone number, they can have it transferred to a new SIM card, thereby gaining control.
The investigations continue, and it remains unclear how the attackers who took over the SEC’s X-account obtained knowledge of the associated phone number. The agency also stated that they are currently investigating how unauthorized individuals managed to persuade the SEC’s telecommunications provider to transfer the number to a different SIM card.
The SEC also addressed the fact that the Multi-Factor Authentication (MFA) for their X-account was not activated. Several US senators had recently criticized this oversight. The SEC mentioned that MFA had been active until July 2023 but was then deactivated due to issues accessing the account. Subsequently, the SEC apparently failed to reactivate the security feature until January 9, 2024, the day the X-account was compromised.
“The MFA is currently enabled for all SEC social media accounts that support it,” emphasized the agency. Furthermore, there is no evidence so far that the attackers gained access to other systems, data, devices, or social media accounts of the SEC. The agency continues to collaborate with various law enforcement and federal regulatory agencies to investigate the case.