Three days ago, at 13:07 Eastern, the Associated Press's Twitter account posted "Breaking: Two Explosions in the White House and Barack Obama is injured." It was a hoax. The AP account had been compromised approximately ten minutes earlier through what AP have now confirmed was a spear-phishing email targeting their newsroom credentials, almost certainly by the Syrian Electronic Army which has been running similar operations against Western news organisations through the spring. AP's social-media team noticed the compromise within ninety seconds and was working with Twitter to suspend the account within three minutes; Twitter completed the suspension by 13:11. The Dow Jones Industrial Average dropped approximately a hundred and forty points — about $136 billion of market capitalisation — in the three minutes between the tweet and the suspension, before recovering to close approximately flat.
The proximate event is uninteresting: another phishing-driven account compromise in a year that has had more than its share of them. The structural implication that has people up at night is what the speed of the market reaction tells us about the algorithmic-trading layer that now sits underneath the financial markets. High-frequency trading systems read Twitter feeds, parse them for sentiment and entity mentions, and trade in fractions of a second on what they read. A breaking-news tweet about explosions at the White House from a credible source (AP) is exactly the kind of input the algorithms have been built to act on; they did, in coordination, in approximately the time it took human traders to even register what had happened. The market move was driven by automated systems reading social media, not by humans reacting to news.
This is structurally novel. Algorithmic trading on news feeds is not new — it has been operational for at least a decade. What is new is the demonstration of how a single compromise of a high-credibility account can produce a market response of meaningful scale before any human-in-the-loop verification can act. The political-cyber category we have been tracking through Anonymous, AntiSec, Operation Tunisia, Operation Payback, and now the Syrian Electronic Army has, in this incident, intersected with the financial-markets category in a way that none of the previous incidents did. The space of attacks that produce direct financial market impact through information-credibility manipulation is now operationally demonstrated, and it is in scope for any state or quasi-state actor with the technical capability to phish a journalist.
For the engagements with media exposure — News International most directly, Browne Jacobson less directly through their reputation-management practice, several Hedgehog clients with public-relations functions — the post-AP conversation has been about the credentials that get used for organisationally-authorised social-media accounts. The questions are: who has the password; how is it stored; how is it shared with whom; what would happen if it were compromised; how would you know. For most clients, the answers are: too many people; in a password manager that may not be properly secured; informally; you would be in the AP situation; you would not know until it had already happened. The defensive answer is the same answer it was when the FBI conference call leak demonstrated similar issues last year: organisationally-controlled credentials need organisationally-controlled access, and the credential-handling process needs to assume that any individual employee's email may be compromised.
The Syrian Electronic Army angle is its own story. The group has been running a sustained campaign through the spring, hitting BBC, Al Jazeera English, NPR, the Guardian, and now AP, all through similar spear-phishing techniques. Brian Krebs has been the most useful running source on the technical chain of the SEA's operations through this spring. The compromised accounts have been used variously for political messaging, for embarrassment, and now (probably accidentally) for market-moving disinformation. The group's affiliation with the Syrian government is unclear — there are open-source-intelligence pieces arguing both for and against direct state sponsorship — but the operational tempo and the targeting profile suggest at minimum state acquiescence. The political-cyber category is, in the spring of 2013, broader than it was in 2011, and is increasingly associated with regional state-actors using freelance-or-affiliated technical capability rather than running their own internal operations.
For the Hedgehog SOC, the AP incident has produced one addition to the detection content: monitoring for credential-compromise indicators on social-media management platforms. Most of the SOC clients use third-party social-media tools (Hootsuite, Sprout Social, similar) rather than logging into Twitter directly. The detection patterns for unusual access to those tools — unusual times, unusual geography, unusual posting patterns — are now in the engagement-team material. The credential-handling discipline at the engagement clients has been the subject of two separate conversations this week.
The wider piece I have been thinking about is the algorithmic-trading angle. There is a paper to write about the structural fragility of news-driven algorithmic trading, and I have been outlining it for the past two days. Whether it is something I publish here or something I work into a piece for the engagement team is something I will think about over the next fortnight. The honest argument is that the financial markets are now sitting on top of a layer of automated decision-making that is sensitive to information attacks the regulatory infrastructure has not yet started thinking about. Whether the SEC and equivalents catch up before the next AP-scale incident is unclear; the more concerning question is what happens when the next AP-scale incident is intentional rather than collateral.
The next post is probably either the continued AP fallout — there are still several open questions about what will happen at the AP-Twitter relationship and what regulatory follow-up the SEC may pursue — or whatever surfaces from the persistent rumours about a major US bank breach that several of my correspondents have been mentioning over the past fortnight.