In a string of attacks over the past two weeks, Turkish hackers have broken into prominent US conservatives’ Twitter accounts, tweeted nationalist Turkish messages from the accounts, and posted screenshots that appear to show them using the hacked accounts to send direct messages to President Donald Trump.
Given the prominent personalities involved, and the speed at which the accounts were compromised, the hacking might appear to be the handiwork of an expert group of internet bad guys. But that’s far from the case. By all indications, the group claiming responsibility, called Ayyildiz Tim, is a small-time band of troublemakers that has made its name bottom feeding on the most vulnerable parts of the web.
“As hacking groups go, while very prolific, Ayyildiz Tim tend to focus on less sophisticated attacks like credential theft and spear phishing campaigns,” Marc Rogers, Cloudflare head of information security, told BuzzFeed News. “In many cases the group seems to be scanning the internet looking for sites vulnerable to known security weaknesses. Focusing on the low hanging fruit like this is the secret behind how prolific they have been.”
Rogers said Ayyildiz Tim is a civilian hacking group, not a government operation, that was founded in 2002. Its methods are relatively rudimentary by security standards.
The group’s ability to break into numerous high profile Twitter accounts — including those able to privately message the President of the United States because they are among the 45 accounts he follows— raises still more questions about Twitter's security precautions, which continue to draw scrutiny after a string of humiliating and seemingly easily preventable breaches. Twitter did not respond to multiple requests for comment on the hacking incidents. And it did not respond to an interview request concerning its direct message security protocols following revelations that a number of its employees can read its users’ direct messages.
The hackers initially broke into ex-Fox News personalities Eric Bolling and Greta Van Susteren’s accounts last Tuesday. President Trump follows both of those accounts; within hours the hackers posted screenshots of direct messages they purportedly sent to the president. In the screenshots, the hackers appear to have sent Trump a video featuring Turkish President Recep Tayyip Erdogan, and a message in text featuring one of Erdogan’s favorite catchphrases, “Dunya 5ten Buyuktur” which means “the world is bigger than five,” referring to the five members of the UN Security council with veto powers.
The White House did not immediately respond to a request for comment.
Last Friday, the hackers obtained access to Fox News’ Brit Hume’s account, and tweeted, “Your data and your DM correspondence have been captured! The Turks will never forget, neither what is done nor what is evil.” Then, this week, they took over Sheriff David Clarke’s account, and tweeted similar messaging from it.
According to a McAfee report about the attacks, the hackers accessed the accounts using other accounts they had already compromised. The hackers used these compromised accounts to send DMs to other users with links to spoof Twitter login pages meant trick people into entering their Twitter credentials; some did.
Screengrab of a Mcafee post detailing the hack. A spoof login Twitter page like this one was used by the hackers to obtain login credentials to Twitter accounts belonging to prominent US conservatives.
When reached by BuzzFeed News, Ayyildiz Tim shared a long statement in Turkish accusing the US of being child killers and starting wars in Iraq, Libya, Syria, Iran, Palestine. “We have thousands of digital data of America, we collected information through trojans. If we want, we would always be on top of the news but the biggest strategy is to know the strategy of the enemy,” the group said. It did not provide evidence to back up the claims.
Fox News Contributor Sara A. Carter's account seems to have been used to send at least some of the scam links. One link Carter appears to have sent was highlighted in the McAfee report. People on Twitter reported getting direct messages from her urging them to “Please read this important news,” with the link to the phishing site. “You can access it from this link by logging in,” the direct message continued. Carter did not respond to multiple interview requests.
An example of the Twitter DMs the hackers sent to obtain login credentials to prominent US conservatives accounts. This one seems to show the DM came from Sara Carter's account.
This is not Ayyildiz Tim’s first high-profile hacking. The group hacked and defaced the UN’s Ethiopia page in 2013. It hacked actor Kirk Cameron’s Saving Christmas movie’s webpage in 2014. And it also claimed it hacked Israel’s Iron Dome missile defense system — a boast that drew some media coverage until it proved to be bogus.
With some help from Twitter, Sara Carter is once again tweeting from her account. “My account was hacked and now it's back,” she announced in a Thursday tweet “Thank goodness and thank you @Twitter for helping me regain control.”
After a string of humiliating security issues, Twitter had already proven itself to be a fraught platform for potentially world-changing communications from the President of the United States. The fact that a group of hackers were apparently able to get close to the president is worrisome, especially since it was a band unsophisticated hackers employing simple methods.
Contributing: Kevin Collier, Alp Ozcelik, Eric Morrow