A Diamond Model Analysis on Twitter's Biggest Hack
Chaitanya Rahalkar
TL;DR
This paper analyzes the 2020 Twitter account hijacking through the Diamond Model, mapping the incident to Adversary, Capability, Infrastructure, and Victim to reveal the attack’s structure and policy implications. It identifies the OGUsers-linked operation, uses phone spear-phishing to compromise Twitter employees, exploits the internal Admin Tool to alter account credentials, and leverages compromised accounts as infrastructure to broadcast a Bitcoin scam. The authors outline sequential phases—from reconnaissance and credential theft to internal network access and campaign execution—and present two activity threads linking direct and indirect victims. They conclude with policy recommendations, including network segmentation and zero-trust principles, to mitigate similar attack surfaces in large online platforms.
Abstract
Cyberattacks have prominently increased over the past few years now, and have targeted actors from a wide variety of domains. Understanding the motivation, infrastructure, attack vectors, etc. behind such attacks is vital to proactively work against preventing such attacks in the future and also to analyze the economic and social impact of such attacks. In this paper, we leverage the diamond model to perform an intrusion analysis case study of the 2020 Twitter account hijacking Cyberattack. We follow this standardized incident response model to map the adversary, capability, infrastructure, and victim and perform a comprehensive analysis of the attack, and the impact posed by the attack from a Cybersecurity policy standpoint.