T0011 "Compromise legitimate accounts"

Tactic stage: TA16

Summary: Hack or take over legimate accounts to distribute misinformation or damaging content.

Relationships

Has counters:

C00053 Delete old accounts / Remove unused social media accounts

C00098 Revocation of allowlisted or "verified" status

C00133 Deplatform Account*

C00153 Take pre-emptive action against actors' infrastructure

C00182 Redirection / malware detection/ remediation

C00189 Ensure that platforms are taking down flagged accounts

C00197 remove suspicious accounts

Detection methods include:

F00019 Activity resurgence detection (alarm when dormant accounts become activated)

F00020 Detect anomalous activity

F00023 Periodic verification (counter to hijack legitimate account)

F00058 Deplatform (cancel culture)

F00062 Detect when Dormant account turns active

F00064 Monitor reports of account takeover

F00093 S4d detection and re-allocation approaches

Datasets

Examples include:

E000012 White House explosions: Syrian Electronic Army (2013) series of false tweets from a hijacked Associated Press Twitter account claiming that President Barack Obama had been injured in a series of explosions near the White House. The false report caused a temporary plunge of 143 points on the Dow Jones Industrial Average.

Seen in incidents:

I00042 as “hack” of Qatar’s official news agency: