Legion’s high-profile Twitter hacks have us looking the wrong way

Three thimbles

The hacking group Legion is rapidly making a name for itself thanks to a spate of high-profile Twitter account takeovers. The eye-catching hacks have been embarrassing for the victims and great for celebrity-hungry media reporters but they’re a shiny, showy distraction.

At the end of last month two Twitter accounts with well in excess of 1m followers were compromised by Legion.

The official accounts of the Indian National Congress Party and of its vice-president, Indian MP Rahul Gandhi, were used to broadcast a series of rambling and profane anti-establishment tweets.

Alongside tweets saying “Congress can kiss our ass” and calling Gandhi a “silly retarded tw4t” was the less distracting but rather more ominous “Coming up is a full dump of inc.in congress emails, stay tuned for Christmas special. We have enough info to drop your party down to shreds.”

Nine days later the hackers calling themselves Legion (a nod perhaps to the “we are legion” slogan beloved of Anonymous) took over the Twitter feed of billionaire Vijay Mallya.

The account was used to disclose details of the fugitive businessman’s assets and his UK residency permit, as well as a number of email addresses and passwords under the message “all known passwords of Mr Mallya”.

Later that same day NDTV journalists Barkha Dutt and Ravish Kumar became the group’s fourth and fifth victims.

Legion used Barkha Dutt’s account to tweet screenshots of her emails and credentials for a webmail account. The group also posted a link to an Outlook mail file with the message “An outlook .pst dump of a partial barka dutt sent emails” before promising “Barkha dutt e-mail dump coming soon. Stay tuned. -Legion.”

It’s not just Barkha Dutt’s email that appears to be compromised though. In an interview with Mashable a member of Legion claimed to be taking over accounts  using Twitter’s password reset functionality – something that would require them to have access to victims’ email accounts.

The spokesperson also boasted of having found a way around Twitter’s implementation of 2FA (two-factor authentication):

In the hacks in the past weeks, nothing was abused except Twitter’s password reset functionality … We also use our Twitter 2FA (two-factor authentication) bypass to get access to the account, when needed.

Such a bypass would imply a flaw in Twitter itself which is something that both Twitter and the very same Legion spokesperson in the same interview deny is the case.

Legion’s need to bypass 2FA is also disputed by OpIndia.com who claim that the victims were not using 2FA:

An employee of Twitter confirmed that the Twitter accounts were hacked as the users like Rahul Gandhi, Vijay Mallya and now Barkha Dutt were not using the two-step authentication process

In other words the hacked Twitter accounts, email dumps and leaked personal information were all the result of by Legion breaking in to the email accounts of famous people. The noisily compromised Twitter accounts are a consequence but not the cause.

Factor Daily claims that internet registrar and hosting company Net4 is a common link between the hacks on Rahul Gandhi and Vijay Mallya.

Author Ramarko Sengupta speculates that the Legion hackers might have accessed Net4 and compromised the victims’ MX records (MX records are a type of DNS record that tell computers where to deliver your mail).

If an attacker can compromise your MX records then they can be used to launch a Man-in-the-Middle (MitM) attack against you: your email is delivered to the attacker’s mail server, copied and then forwarded on to you without you realising anything is wrong.

Jasjit Sawhney, Net4’s CEO, responded to Factor Daily with a belligerent denial:

[We] can confirm that no such hack has happened on “our servers”.

Now in 99% of the cases people end up compromising the security of their email accounts and social media accounts either through their own know people/agencies or through careless passwords.

We can further confirm that neither Vijay Mallya, nor the Indian National Congress avail email services through Net4, so any such allegation is quite absurd.

Legion themselves indicated that if they are intercepting email, they also seem to be accessing email accounts directly. In an instant message interview with the Washington Post one of the Legion group lambasted the tycoon for keeping logins in a notes folder:

Like, m8
You’re a billionaire
And you keep
Your bank logins
IN A NOTES FOLDER
in your private email
Unencrypted

The victim’s folder structure wouldn’t be visible to an attacker intercepting mail via MX records.

It also seems unlikely that a group so painfully keen on telling interviewers how l33t they are would convert intercepted mail into a so-uncool Outlook .pst file (the format they used to dump Barkha Dutt’s email) before dumping it.

Of course a MitM attack would allow the hackers to intercept password reset emails for other services too, such as GMail or Outlook.com (which exports email in .pst files), not just Twitter.

Speaking to Factor Daily Legion has threatened to make sansad.nic.in, keepers of the government’s @gov.in emails, the next target:

Next is a dump of sansad.nic.in emails
Which is – quite big

It includes a lot of _BIG FISH_

The Washington Post interview also hints at the Twitter hacks being the eye-catching tip of a much larger, less headline-friendly breach.

The Legion told WaPo’s Max Bearak that they had “several terabytes of raw data” in which they’d identified “gigabytes worth of information relating to Indian public figures”:

When I asked him how they came into possession of so much data, he was vague, and said they just “ended up with access to over 40k+ servers in India, and we decided — hey, why not write a tool to sift through them for interesting data?”

Legion would like us to see them as weed-smoking Robin Hoods. They’d like you to think they’re hackers who’ve found vulnerabilities to expose their targets. They aren’t, they’re hackers who’ve found people with vulnerabilities and made them in to targets (just as Anonymous often did).

For now they’re basking in the reflected glory of the celebrities they’ve hacked. They may have been better to keep quiet though – history tells us that hackers who get a taste for fame don’t last long.